Posts tagged block facebook

Block Facebook using Juniper SRX

Jul 13th

Posted by rsivanandan in Access-Control

2 comments

Continuation to the last post of MPF on Cisco ASA series, Juniper’s nextGen firewalls (SRX series that run JunOS software) can also be used for blocking unwanted sites. While SRX supports integration to SurfControl/WebSense etc, this post is more focused on the inbuilt capabilities just like what Cisco’s ASA had.

UTM feature (Unified Threat Management) is integrated into SRX devices. So in order to block a site(s);

1. First create a custom block lists to contain the websites that you want to block.

custom-objects {
    url-pattern {
            badsite {
                    value www.facebook.com;
            }
            addictivesite {
                            value www.twitter.com;
            }
}
    custom-url-category {
        bad-sites {
            value [ addictivesite badsite ];
        }
    }
}

As you can see, the custom URL category block list above contains the site ‘www.facebook.com’ and ‘www.twitter.com’ and based on the preferences time-eating sites like facebook/twitter/myspace etc can be used in here. Again, the advantage is that it doesn’t deal with ip addresses and hence very effective how many ever servers are hosted around the world.

2. Then create a web filtering policy to allow the traffic after screening the type/site to which the traffic is going to, as below;

policies {
    from-zone trust to-zone untrust {
        policy utm {
                match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
        then {
                permit {
                    application-services {
                                            utm-policy wf-block-specfic-categories;
                                        }
                        }
                    }
                }
            }
        }
utm {
    feature-profile {
        web-filtering {
            url-blacklist bad-sites; #This causes sites in the bad-sites category to be blocked

utm-policy wf-block-specfic-categories {
    web-filtering {
        http-profile block-selected-sites;
                }
        }
}

Along with this, SRX also supports usage of ‘Custom Block Messages’ and also make this time bound. Say if you don’t want to block it completely but just block it during business hours that is possible too by scheduling policies.

,

Modular Policy Framework (ASA)

Jul 5th

Posted by rsivanandan in Cisco

No comments

Productivity increase by blocking non-project related sites is one of the myth that I’ve seen a lot on various online forums and as well there are always counter research data as to this has nothing to do with ‘increase in productivity’. I guess, I kinda agree too (Well, I know one of the leading IT companies who doesn’t give computers with internet access to any employee and only the lead/manager has it, that too restricted).

So putting aside the arguments, one of the issues with blocking outgoing connections based on IP has always failed (imagine the cloud of servers, if you were to block say yahoo mail). Now the Modular Policy Framework does support regex checking in the URL header to see which site it is going and block it, if you’d like to.

Here is the Cisco article describing the MPF in details {Here}

 

Now how do you block say access to facebook or myspace, from being utilized by your employees?? Pete has a good write-up on it and hence I’m not going to write it again here.

In short the configuration you need is; Thanks to Pete for providing such a detailed write-up.

 

On the Global Policy
————————————————-

regex domainlist1 "facebook.com"
class-map type regex match-any DomainBlockList 
  match regex domainlist1 
class-map type inspect http match-all BlockDomainsClass
  match request header host regex class DomainBlockList
policy-map type inspect http http_inspection_policy 
class BlockDomainsClass
  reset log
policy-map global_policy
  class inspection_default
  inspect http http_inspection_policy
service-policy global_policy global
———————————————-

With its own policy

———————————————–
regex BLOCKED_DOMAIN_1 "www.facebook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
  match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
  match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
  parameters
  class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
  inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside

, ,