ASA filters URLs in HTTPS?

Difan Zhao · ‎11-23-2011

Hi experts,

My company uses a pair of 5510 ASAs as the gateway to Internet. I once configured policy-map to filter certain webpages (facebook, twitter, ...etc) and they work fine. However nowdays those websites all support HTTPS. In the https the URL seems encrypted so can't do regex match... Is there anyway that I can still block those webpages?

Another two ways I can think of are

1. Block IPs (don't really want do this unless absolutely necessary)

2. Block DNS for the URL (however they can work around by setting static DNS entries)

Thanks!

Difan

ajay chauhan · ‎11-23-2011

You are absolutely correct .

1. Blocking IP really wont help much since its not fixed for these kind of sites.

2. DNS Entries wise you can do if you want to block few.

Basically websense is used with ASA to these kind of filtering thats 3rd party request get redirected to server and based on policy traffic is allowed/deny.

Thanks

Ajay

Julio Carvajal · ‎11-23-2011

Hello Difan Zhao,

Adding to what Ajay just said, you can also implement the Content Security and Control (CSC) module into the ASA, this module running version 6 is able to block the https sites.

Here is one link you can take a look:

http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc4.html#wp1098125

This is another option just in case.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Difan Zhao · ‎11-24-2011

Hey guys thanks so much for your replies.

Ajay, with websense, does it filter based on the IPs? Just being curious how it works... Technically even with websense it can't look into the HTTPS packets, correct? So I guess the websense just keeps updated IPs for certain websites and filter by IPs?

Julio, I read your link very carefully and I see how CSC filters URLs based on the TLS extension SNI in the client request. I did wireshark capture and I see "www.facebook.com" in the extension. I'm wondering: since this is in clear text, maybe ASA without CSC can still check the specific field in the TLS packet and drop the TLS packet which in turn destroy the web traffic. I will give it a try.

Thanks!

Difan

ajay chauhan · ‎11-24-2011

Basically, mirrored traffic is directed to Websense's monitoring card. Network Agent sniffs that traffic, and then sends spoofed packets to block the traffic, while at the same time redirecting the user to a block page hosted on the Websense server.

you can specify an IP Address Range, a specific host name (www.yourhost.com), it can use regular expressions ([Yy][Oo][Uu][Rr][Hh][Oo][Ss][Tt]\.[Cc][… which will match Yourhost.com, yourHost.com, YoUrHoSt.CoM, or any case of yourhost.com, etc. Finally, it can do a keyword match so that if you request a web site that contains ReallBadSwearWord in any of it's content, headers, etc, the page will be blocked. There's probably more that I didn't mention, but Websense does things in a very intelligent manner and gives users control over what they can block. Furthermore, they have already pre-classified sites into different categories (sex, proxy-avoidance, illegal, gambling, etc) and it lets you recategorize these sites to different categories. So, you can make www.playboy.com appear as a gaming site versus a sex site.

Difan Zhao · ‎11-24-2011

Thanks Ajay. Last question. Can ASA do packet inspection on protocols it doesn't support? For example, you want to drop a packet which contains ASCII value of "facebook". In this case it doesn't matter if ASA understands the protocol or not. It drops the packet as long as the packet contains the specified string. Possible??

Thanks!

ajay chauhan · ‎11-24-2011

Inspection can only be on for non -default applictions Frist it should understand the protocol then only it can open the packet and see the content.

Thanks

Ajay