Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 21 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
21
Dung lượng
1,1 MB
Nội dung
Lab Lọc URL dùng WebSense Express
I. Sơ đồ lab:
II. Yêu cầu cấu hình
- Sử dụng ASA cho chức năng lọc cc web site theo URL.
- Dùng server Websense nằm trong miền DMZ làm máy chủ cơ sở dữ liệu.
- Yêu cầu phải có 1 key để kích hoạt phần mềm, các bạn có thể đăng kí một account
tai www.websense.com để nhận dược key kích hoạt sử dụng 30 ngày.
- Tải Websense Express có dung lượng 115mb tai www.websense.com
- Ram tối thiểu là 512mb
III. Các bước cài đặt ASA, Websense
Cấu hình trên ASA:
pixfirewall(config)# show run
: Saved
:
PIX Version 8.0(3)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
!Cổng outside của ASA xin địa chỉ từ DHCP server
interface Ethernet0
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet1
nameif inside
security-level 100
ip address 30.30.30.1 255.255.255.0
!
! Miền DMZ sẽ có URL server
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
!
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit ip any any
access-list 101 extended permit tcp any any
access-list 101 extended permit udp any any
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 30.30.30.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
url-server (dmz) vendor websense host 172.16.0.2 timeout 30
protocol TCP version 1 connections 5
url-cache dst 100
filter url http 30.30.30.0 255.255.255.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown
coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
url-block url-mempool 2
url-block url-size 2
url-block block 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e0668be6c8950650ebea44c994879f0
: end
- Cài đặt WEBSENSE EXPRESS
Cấu hình websense kết hợp firewall cisco để ngăn chặn những request từ network
30.30.30.0/24 đi đến các website www.yahoo.com ; www.ngoisao.net ;
www.thanhnien.com.vn
1. Cài đặt cơ bản:
a. Chạy file WebsenseExpress10_Setup.exe
b. Chọn NEXT
c. Bấm NEXT
d. Chọn YES, típ tục bấm NEXT
e. Chọn NEXT
f. Đặt password để quản lý websense
g. Chọn Interface dùng để quản lý traffic ,interface này phải nhìn thấy tất cả traffic
request đến internet và có khả năng kết nối internet
h. Chọn Yes và típ tục bấm NEXT
i. Để password trống và típ tục bấm NEXT
j. Chọn Yes và típ tục bấm NEXT
k. Bấm NEXT
l. Bấm NEXT
m. Bấm Finish
__________________
Đặng Hoàng Khánh, CCNP
Email: danghoangkhanh@vnpro.org
Y!M: danghoangkhanh0211
--------------------------VnPro - Cisco Authorised Training
Discuss about Networking, especially Cisco technology: http://vnpro.org
Discuss about Wireless: http://wifipro.org or http://wimaxpro.org
danghoangkhanh
View Public Profile
Send a private message to danghoangkhanh
Visit danghoangkhanh's homepage!
Find all posts by danghoangkhanh
Add danghoangkhanh to Your Contacts
#2
05-06-2008
danghoangkhanh
Administrator
Elite
n. Nhập password mới để login websense
Join Date: Oct 2005
Location: HCM City
Posts: 919
o. Nhập key
g. download DATABASE nếu cần
2. Add Url Category Filter
3. Đặt tên là “New”. Chọn OK
4. Chọn Typical
5. Chọn OK
6. Trong URL-Category-Filter -> chọn New-> click chuột chọn EDIT bên phải màn
hình -> chọn User-Defined -> đánh dấu chọn Block như hình -> OK
7. Add đường dẫn 3 website www.ngoisao.net ; www.yahoo.com ;
www.thanhnien.com.vn bằng cách chọn Custom URLs -> Recategorized -> UserDefined -> click Add URL
8. Thêm networks mà mình muốn quan sát .Trong ví dụ này mình là 30.30.30.0/24.
9. Cấu hình những địa chỉ dùng trong network 30.30.30.0/24
10. Chọn OK
11. Click EDIT phía trên bên phải -> chọn new trong danh sách URL Category
Filter như hình vẽ
12. Chọn OK
13. Cuối cùng chọn Save Changes
14. Kiểm tra kết quả . ip từ máy 30.30.30.3 truy cập website bị cấm sẽ xuất hiện
thông báo lỗi từ websense server 172.16.0.2
Trên FIREWALL các bạn dùng lệnh “ show url-server statistics” thấy giá trị
denied tăng 1
pixfirewall(config)# show url-server statistics
Global Statistics:
-------------------URLs total/allowed/denied 16/15/1
URLs allowed by cache/server 0/15
URLs denied by cache/server 0/1
HTTPSs total/allowed/denied 0/0/0
HTTPSs allowed by cache/server 0/0
HTTPSs denied by cache/server 0/0
FTPs total/allowed/denied 0/0/0
FTPs allowed by cache/server 0/0
FTPs denied by cache/server 0/0
Requests dropped 4
Server timeouts/retries 0/0
Processed rate average 60s/300s 0/0 requests/second
Denied rate average 60s/300s 0/0 requests/second
Dropped rate average 60s/300s 0/0 requests/second
Server Statistics:
-------------------172.16.0.2 UP
Vendor websense
Port 15868
Requests total/allowed/denied 16/15/1
Server timeouts/retries 0/0
Responses received 16
Response time average 60s/300s 0/0
URL Packets Sent and Received Stats:
-----------------------------------Message Sent Received
STATUS_REQUEST 1730 1714
LOOKUP_REQUEST 16 16
LOG_REQUEST 0 NA
Errors:
------RFC noncompliant GET method 0
URL buffer update failure 0
Kiểm tra kết quả
pixfirewall(config)# show url-server statistics
Global Statistics:
-------------------URLs total/allowed/denied 69/66/3
URLs allowed by cache/server 0/66
URLs denied by cache/server 0/3
HTTPSs total/allowed/denied 0/0/0
HTTPSs allowed by cache/server 0/0
HTTPSs denied by cache/server 0/0
FTPs total/allowed/denied 0/0/0
FTPs allowed by cache/server 0/0
FTPs denied by cache/server 0/0
Requests dropped 0
Server timeouts/retries 0/0
Processed rate average 60s/300s 0/0 requests/second
Denied rate average 60s/300s 0/0 requests/second
Dropped rate average 60s/300s 0/0 requests/second
Server Statistics:
-------------------172.16.0.2 UP
Vendor websense
Port 15868
Requests total/allowed/denied 69/66/3
Server timeouts/retries 0/0
Responses received 69
Response time average 60s/300s 0/0
URL Packets Sent and Received Stats:
-----------------------------------Message Sent Received
STATUS_REQUEST 322 322
LOOKUP_REQUEST 69 69
LOG_REQUEST 0 NA
Errors:
------RFC noncompliant GET method 0
URL buffer update failure 0
pixfirewall(config)# show url-block bl
pixfirewall(config)# show url-block block s
pixfirewall(config)# show url-block block statistics
URL Pending Packet Buffer Stats with max block 10
----------------------------------------------------Cumulative number of packets held: 0
Maximum number of packets held (per URL): 0
Current number of packets held (global): 0
Packets dropped due to
exceeding url-block buffer limit: 0
HTTP server retransmission: 0
Number of packets released back to client: 0
pixfirewall(config)# show url-cache statistics
URL Filter Cache Stats
---------------------Size : 100KB
Entries : 171
In Use : 0
Lookups : 0
Hits : 0
[...]... Trong URL- Category-Filter -> chọn New-> click chuột chọn EDIT bên phải màn hình -> chọn User-Defined -> đánh dấu chọn Block như hình -> OK 7 Add đường dẫn 3 website www.ngoisao.net ; www.yahoo.com ; www.thanhnien.com.vn bằng cách chọn Custom URLs -> Recategorized -> UserDefined -> click Add URL 8 Thêm networks mà mình muốn quan sát Trong ví dụ này mình là 30.30.30.0/24 9 Cấu hình những địa chỉ dùng. .. phải -> chọn new trong danh sách URL Category Filter như hình vẽ 12 Chọn OK 13 Cuối cùng chọn Save Changes 14 Kiểm tra kết quả ip từ máy 30.30.30.3 truy cập website bị cấm sẽ xuất hiện thông báo lỗi từ websense server 172.16.0.2 Trên FIREWALL các bạn dùng lệnh “ show url- server statistics” thấy giá trị denied tăng 1 pixfirewall(config)# show url- server statistics Global Statistics: -URLs... pixfirewall(config)# show url- block bl pixfirewall(config)# show url- block block s pixfirewall(config)# show url- block block statistics URL Pending Packet Buffer Stats with max block 10 Cumulative number of packets held: 0 Maximum number of packets held (per URL) : 0 Current number of packets held (global): 0 Packets dropped due to exceeding url- block buffer limit: 0 HTTP server... -1 72.16.0.2 UP Vendor websense Port 15868 Requests total/allowed/denied 69/66/3 Server timeouts/retries 0/0 Responses received 69 Response time average 60s/300s 0/0 URL Packets Sent and Received Stats: -Message Sent Received STATUS_REQUEST 322 322 LOOKUP_REQUEST 69 69 LOG_REQUEST 0 NA Errors: RFC noncompliant GET method 0 URL buffer update failure 0 pixfirewall(config)# show url- block... LOOKUP_REQUEST 16 16 LOG_REQUEST 0 NA Errors: RFC noncompliant GET method 0 URL buffer update failure 0 Kiểm tra kết quả pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 69/66/3 URLs allowed by cache/server 0/66 URLs denied by cache/server 0/3 HTTPSs total/allowed/denied 0/0/0 HTTPSs allowed by cache/server 0/0 HTTPSs denied by cache/server 0/0 FTPs total/allowed/denied... Server Statistics: -1 72.16.0.2 UP Vendor websense Port 15868 Requests total/allowed/denied 16/15/1 Server timeouts/retries 0/0 Responses received 16 Response time average 60s/300s 0/0 URL Packets Sent and Received Stats: -Message Sent Received STATUS_REQUEST 1730 1714 LOOKUP_REQUEST 16 16 LOG_REQUEST 0 NA Errors: RFC noncompliant GET method 0 URL buffer update failure 0... held (global): 0 Packets dropped due to exceeding url- block buffer limit: 0 HTTP server retransmission: 0 Number of packets released back to client: 0 pixfirewall(config)# show url- cache statistics URL Filter Cache Stats -Size : 100KB Entries : 171 In Use : 0 Lookups : 0 Hits : 0 ... các bạn dùng lệnh “ show url- server statistics” thấy giá trị denied tăng 1 pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 16/15/1 URLs allowed by cache/server 0/15 URLs denied by cache/server 0/1 HTTPSs total/allowed/denied 0/0/0 HTTPSs allowed by cache/server 0/0 HTTPSs denied by cache/server 0/0 FTPs total/allowed/denied 0/0/0 FTPs allowed by cache/server ... timeout threat-detection basic-threat threat-detection statistics access-list url- block url- mempool url- block url- size url- block block 10 ! class-map inspection_default match default-inspection-traffic... FIREWALL bạn dùng lệnh “ show url- server statistics” thấy giá trị denied tăng pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 16/15/1 URLs allowed... method URL buffer update failure Kiểm tra kết pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 69/66/3 URLs allowed by cache/server 0/66 URLs