- Many enterprises are beginning to concern themselves with the use of the corporate Internet connection by their employees. - One of the newer features being required of firewalls is the capability of filtering the content that passes through them. - This filtering typically is defined as URL filtering, whereby the firewall is used either by itself or in conjunction with another appliance or software suite to control which websites users are allowed to visit. - However, given that web content can range from the simple to the complex, firewalls typically offload the detailed evaluation and decision making to other devices, which is an excellent example of the limitations of a firewall being a selfcontained contentfiltering device. - Rather, the firewall becomes a control point where the decision made by the evaluation device (whether it is a content engine or a filtering software suite) is applied to user traffic.. - timeconsuming process for both the implementation and maintenance of the URL list.. - Additionally, because ACLs are typically stored in a flat file format, the firewall can be subjected to latency in permitting or denying traffic while a large ACL is being. - The second method is to utilize a thirdparty contentfiltering application running on a separate server from the firewall or on a content engine that is separate from the firewall to handle the actual building, maintaining, and configuring of the URL filter list. - As previously mentioned, this allows the firewall to offload the processing and evaluation of traffic to the contentfiltering device, which enables the firewall to do what it does best, to serve as a control point for traffic, blocking content as defined by the contentfiltering device. - connection to one of these sites, the firewall blocks the connection. - Thus a specialized devicefor example, a content engine or a contentfiltering serverperforms all the processing of the traffic, which in turn allows the firewall to just provide the necessary enforcement by either permitting or denying the traffic as. - To configure the PIX to enforce URL filtering, the administrator needs to first configure the PIX to work with the URLfiltering software suite by configuring the PIX with the IP address of the filtering server. - After you have identified the filtering server and defined how the firewall should connect to the filtering server, the next step is to configure the PIX firewall to actually filter URL. - In this case, the PIX firewall will filter all traffic that passes through the firewall. - You can also configure the firewall to filter only specific subnets. - When the PIX sees the outbound connection, it does not allow the return traffic from the web server back to the client until it has received a response from the URLfiltering server. - When the filtering server approves the connection, the PIX allows the connection to complete back to the client. - If the filtering server denies the request, the user is. - The following is a description of the process in Figure 14-1:. - The client sends the initial connection to the web server, which replies back as expected. - At the same time, the firewall connects to the filtering server using connection 2 to query the filtering server about whether the traffic should be permitted.. - The filtering server replies to the firewall with whether the traffic should be permitted or denied.. - If the filtering server approves the URL, it notifies the PIX firewall, and the. - If the filtering server denies the URL, it notified the PIX firewall, and the firewall drops the return traffic, preventing it from reaching the client.. - One of the biggest problems with URL filtering is the maintenance required of the URL database. - To help network administrators maintain their URL filters and keep them as up- to-date as possible, many vendors turn to a subscription service whereby the filtering server at the client site connects to a web server at the vendor's location and downloads a database of URLs with default settings associated with each URL. - In some cases, this reliance can lead to the blocking of legitimate websites that would not necessarily fall into the category of inappropriate during business hours or as a waste of employee time.. - Many of the more powerful URL-filtering software systems such as WebSense and N2H2 provide detailed reports of which user went to a particular URL or set of URLs
Xem thử không khả dụng, vui lòng xem tại trang nguồn hoặc xem
Tóm tắt