CCNA Lab - Lọc URL Dùng Websense Express

Lab Lọc URL dùng WebSense Express I. Sơ đồ lab: II. Yêu cầu cấu hình - Sử dụng ASA cho chức năng lọc cc web site theo URL. - Dùng server Websense nằm trong miền DMZ làm máy chủ cơ sở dữ liệu. - Yêu cầu phải có 1 key để kích hoạt phần mềm, các bạn có thể đăng kí một account tai www.websense.com để nhận dược key kích hoạt sử dụng 30 ngày. - Tải Websense Express có dung lượng 115mb tai www.websense.com - Ram tối thiểu là 512mb III. Các bước cài đặt ASA, Websense Cấu hình trên ASA: pixfirewall(config)# show run : Saved : PIX Version 8.0(3) ! hostname pixfirewall enable password 8Ry2YjIyt7RRXU24 encrypted names ! !Cổng outside của ASA xin địa chỉ từ DHCP server interface Ethernet0 nameif outside security-level 0 ip address dhcp ! interface Ethernet1 nameif inside security-level 100 ip address 30.30.30.1 255.255.255.0 ! ! Miền DMZ sẽ có URL server interface Ethernet2 nameif dmz security-level 50 ip address 172.16.0.1 255.255.255.0 ! ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list 101 extended permit ip any any access-list 101 extended permit tcp any any access-list 101 extended permit udp any any access-list 101 extended permit icmp any any echo access-list 101 extended permit icmp any any echo-reply pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 30.30.30.0 255.255.255.0 nat (dmz) 1 172.16.0.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 url-server (dmz) vendor websense host 172.16.0.2 timeout 30 protocol TCP version 1 connections 5 url-cache dst 100 filter url http 30.30.30.0 255.255.255.0 0.0.0.0 0.0.0.0 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list url-block url-mempool 2 url-block url-size 2 url-block block 10 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:7e0668be6c8950650ebea44c994879f0 : end - Cài đặt WEBSENSE EXPRESS Cấu hình websense kết hợp firewall cisco để ngăn chặn những request từ network 30.30.30.0/24 đi đến các website www.yahoo.com ; www.ngoisao.net ; www.thanhnien.com.vn 1. Cài đặt cơ bản: a. Chạy file WebsenseExpress10_Setup.exe b. Chọn NEXT c. Bấm NEXT d. Chọn YES, típ tục bấm NEXT e. Chọn NEXT f. Đặt password để quản lý websense g. Chọn Interface dùng để quản lý traffic ,interface này phải nhìn thấy tất cả traffic request đến internet và có khả năng kết nối internet h. Chọn Yes và típ tục bấm NEXT i. Để password trống và típ tục bấm NEXT j. Chọn Yes và típ tục bấm NEXT k. Bấm NEXT l. Bấm NEXT m. Bấm Finish __________________ Đặng Hoàng Khánh, CCNP Email: danghoangkhanh@vnpro.org Y!M: danghoangkhanh0211 --------------------------VnPro - Cisco Authorised Training Discuss about Networking, especially Cisco technology: http://vnpro.org Discuss about Wireless: http://wifipro.org or http://wimaxpro.org danghoangkhanh View Public Profile Send a private message to danghoangkhanh Visit danghoangkhanh's homepage! Find all posts by danghoangkhanh Add danghoangkhanh to Your Contacts #2 05-06-2008 danghoangkhanh Administrator Elite n. Nhập password mới để login websense Join Date: Oct 2005 Location: HCM City Posts: 919 o. Nhập key g. download DATABASE nếu cần 2. Add Url Category Filter 3. Đặt tên là “New”. Chọn OK 4. Chọn Typical 5. Chọn OK 6. Trong URL-Category-Filter -> chọn New-> click chuột chọn EDIT bên phải màn hình -> chọn User-Defined -> đánh dấu chọn Block như hình -> OK 7. Add đường dẫn 3 website www.ngoisao.net ; www.yahoo.com ; www.thanhnien.com.vn bằng cách chọn Custom URLs -> Recategorized -> UserDefined -> click Add URL 8. Thêm networks mà mình muốn quan sát .Trong ví dụ này mình là 30.30.30.0/24. 9. Cấu hình những địa chỉ dùng trong network 30.30.30.0/24 10. Chọn OK 11. Click EDIT phía trên bên phải -> chọn new trong danh sách URL Category Filter như hình vẽ 12. Chọn OK 13. Cuối cùng chọn Save Changes 14. Kiểm tra kết quả . ip từ máy 30.30.30.3 truy cập website bị cấm sẽ xuất hiện thông báo lỗi từ websense server 172.16.0.2 Trên FIREWALL các bạn dùng lệnh “ show url-server statistics” thấy giá trị denied tăng 1 pixfirewall(config)# show url-server statistics Global Statistics: -------------------URLs total/allowed/denied 16/15/1 URLs allowed by cache/server 0/15 URLs denied by cache/server 0/1 HTTPSs total/allowed/denied 0/0/0 HTTPSs allowed by cache/server 0/0 HTTPSs denied by cache/server 0/0 FTPs total/allowed/denied 0/0/0 FTPs allowed by cache/server 0/0 FTPs denied by cache/server 0/0 Requests dropped 4 Server timeouts/retries 0/0 Processed rate average 60s/300s 0/0 requests/second Denied rate average 60s/300s 0/0 requests/second Dropped rate average 60s/300s 0/0 requests/second Server Statistics: -------------------172.16.0.2 UP Vendor websense Port 15868 Requests total/allowed/denied 16/15/1 Server timeouts/retries 0/0 Responses received 16 Response time average 60s/300s 0/0 URL Packets Sent and Received Stats: -----------------------------------Message Sent Received STATUS_REQUEST 1730 1714 LOOKUP_REQUEST 16 16 LOG_REQUEST 0 NA Errors: ------RFC noncompliant GET method 0 URL buffer update failure 0 Kiểm tra kết quả pixfirewall(config)# show url-server statistics Global Statistics: -------------------URLs total/allowed/denied 69/66/3 URLs allowed by cache/server 0/66 URLs denied by cache/server 0/3 HTTPSs total/allowed/denied 0/0/0 HTTPSs allowed by cache/server 0/0 HTTPSs denied by cache/server 0/0 FTPs total/allowed/denied 0/0/0 FTPs allowed by cache/server 0/0 FTPs denied by cache/server 0/0 Requests dropped 0 Server timeouts/retries 0/0 Processed rate average 60s/300s 0/0 requests/second Denied rate average 60s/300s 0/0 requests/second Dropped rate average 60s/300s 0/0 requests/second Server Statistics: -------------------172.16.0.2 UP Vendor websense Port 15868 Requests total/allowed/denied 69/66/3 Server timeouts/retries 0/0 Responses received 69 Response time average 60s/300s 0/0 URL Packets Sent and Received Stats: -----------------------------------Message Sent Received STATUS_REQUEST 322 322 LOOKUP_REQUEST 69 69 LOG_REQUEST 0 NA Errors: ------RFC noncompliant GET method 0 URL buffer update failure 0 pixfirewall(config)# show url-block bl pixfirewall(config)# show url-block block s pixfirewall(config)# show url-block block statistics URL Pending Packet Buffer Stats with max block 10 ----------------------------------------------------Cumulative number of packets held: 0 Maximum number of packets held (per URL): 0 Current number of packets held (global): 0 Packets dropped due to exceeding url-block buffer limit: 0 HTTP server retransmission: 0 Number of packets released back to client: 0 pixfirewall(config)# show url-cache statistics URL Filter Cache Stats ---------------------Size : 100KB Entries : 171 In Use : 0 Lookups : 0 Hits : 0 [...]... Trong URL- Category-Filter -> chọn New-> click chuột chọn EDIT bên phải màn hình -> chọn User-Defined -> đánh dấu chọn Block như hình -> OK 7 Add đường dẫn 3 website www.ngoisao.net ; www.yahoo.com ; www.thanhnien.com.vn bằng cách chọn Custom URLs -> Recategorized -> UserDefined -> click Add URL 8 Thêm networks mà mình muốn quan sát Trong ví dụ này mình là 30.30.30.0/24 9 Cấu hình những địa chỉ dùng. .. phải -> chọn new trong danh sách URL Category Filter như hình vẽ 12 Chọn OK 13 Cuối cùng chọn Save Changes 14 Kiểm tra kết quả ip từ máy 30.30.30.3 truy cập website bị cấm sẽ xuất hiện thông báo lỗi từ websense server 172.16.0.2 Trên FIREWALL các bạn dùng lệnh “ show url- server statistics” thấy giá trị denied tăng 1 pixfirewall(config)# show url- server statistics Global Statistics: -URLs... pixfirewall(config)# show url- block bl pixfirewall(config)# show url- block block s pixfirewall(config)# show url- block block statistics URL Pending Packet Buffer Stats with max block 10 Cumulative number of packets held: 0 Maximum number of packets held (per URL) : 0 Current number of packets held (global): 0 Packets dropped due to exceeding url- block buffer limit: 0 HTTP server... -1 72.16.0.2 UP Vendor websense Port 15868 Requests total/allowed/denied 69/66/3 Server timeouts/retries 0/0 Responses received 69 Response time average 60s/300s 0/0 URL Packets Sent and Received Stats: -Message Sent Received STATUS_REQUEST 322 322 LOOKUP_REQUEST 69 69 LOG_REQUEST 0 NA Errors: RFC noncompliant GET method 0 URL buffer update failure 0 pixfirewall(config)# show url- block... LOOKUP_REQUEST 16 16 LOG_REQUEST 0 NA Errors: RFC noncompliant GET method 0 URL buffer update failure 0 Kiểm tra kết quả pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 69/66/3 URLs allowed by cache/server 0/66 URLs denied by cache/server 0/3 HTTPSs total/allowed/denied 0/0/0 HTTPSs allowed by cache/server 0/0 HTTPSs denied by cache/server 0/0 FTPs total/allowed/denied... Server Statistics: -1 72.16.0.2 UP Vendor websense Port 15868 Requests total/allowed/denied 16/15/1 Server timeouts/retries 0/0 Responses received 16 Response time average 60s/300s 0/0 URL Packets Sent and Received Stats: -Message Sent Received STATUS_REQUEST 1730 1714 LOOKUP_REQUEST 16 16 LOG_REQUEST 0 NA Errors: RFC noncompliant GET method 0 URL buffer update failure 0... held (global): 0 Packets dropped due to exceeding url- block buffer limit: 0 HTTP server retransmission: 0 Number of packets released back to client: 0 pixfirewall(config)# show url- cache statistics URL Filter Cache Stats -Size : 100KB Entries : 171 In Use : 0 Lookups : 0 Hits : 0 ... các bạn dùng lệnh “ show url- server statistics” thấy giá trị denied tăng 1 pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 16/15/1 URLs allowed by cache/server 0/15 URLs denied by cache/server 0/1 HTTPSs total/allowed/denied 0/0/0 HTTPSs allowed by cache/server 0/0 HTTPSs denied by cache/server 0/0 FTPs total/allowed/denied 0/0/0 FTPs allowed by cache/server ... timeout threat-detection basic-threat threat-detection statistics access-list url- block url- mempool url- block url- size url- block block 10 ! class-map inspection_default match default-inspection-traffic... FIREWALL bạn dùng lệnh “ show url- server statistics” thấy giá trị denied tăng pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 16/15/1 URLs allowed... method URL buffer update failure Kiểm tra kết pixfirewall(config)# show url- server statistics Global Statistics: -URLs total/allowed/denied 69/66/3 URLs allowed by cache/server 0/66 URLs