Networking

Filter Web content with Cisco IOS routers

Today, filtering content at many companies isn't just optional; it is a legal requirement and something you have to do to prevent employees from getting into trouble. David Davis explains how Cisco IOS routers can filter Web content with the help of outside services.

To protect your network and end users from malicious or inappropriate Web content, you can use subscription-based Cisco IOS content filtering. This was first integrated into IOS 12.2(15)T and offered through third-party companies, SmartFilter (previously N2H2) and Websense. Just this year, with IOS 12.4(15)XZ and 12.4(20)T, the Cisco IOS now also integrates with Trend Micro's URL Filtering service.

If you want to take advantage of this feature, you should first make sure that your router's IOS supports it. To verify your software image, please see my article covering the Cisco IOS Feature Navigator.

Of course, besides the proper IOS, you must register with one of these third-party companies and obtain their URL filtering service. With Trend Micro's option, you register your router with the Trend Router Provisioning Server (TRPS). Please see the Prerequisites for Cisco Subscription-based IOS Content Filtering for further information.

Why rely on URL filtering?

As network admins, we don't want to spend our time policing users' Web content. For that reason, an Internet filtering service is a convenience. In my case, when I implemented Web filtering services in the past, I was always happy to be able to say to a complaining user, "It's the Web filtering service that said your XYZ site was not allowed."

By implementing URL filtering, you can use these third-party companies to filter out malicious or inappropriate Internet traffic from your end users. Besides just "turning it on," you will also have some control over how this works — for particular sites and users.

Figure A

Cisco URL filtering

Graphic courtesy of Cisco Systems Subscription-based IOS Content Filtering
As you can see in Figure A, the end user's URL request interacts with the Trend Router Provisioning Server (TRPS), which will allow or deny access based on the policy that you have set up. When the user types in a URL, the service performs a lookup via your policy. If it is allowed, then the user can continue to the destination; if not, then the user is blocked from that URL address.

Cisco filtering options

  • White lists: (trusted domain names) You can set up specific domain names that you will allow to go through your router. Ex: www.techrepublic.com
  • Black lists: (untrusted domain names) You can also set up domain names that you are not allowing on your router. This feature will also cache this information on your router for your review. Ex: www.badsite.com
  • Blocked keyword lists: You can also set a URL block string or keyword, such as *www.parrot.* or *rockbaby* In this case, if it sees the word "rockbaby," it will block the whole address and not even go to the TRPS server.
  • Cached recent requests: This feature will allow you to save recent requests on your router so there is no need to have them go through the TRPS process each time the user requests it.
  • Packet buffering: This feature allows you the ability to store URL information while waiting for the look-up process to complete. This is a great feature to keep your routers from being overloaded with HTTP requests. Although the response default is 200, you can change it. This feature also allows third-party filter servers like Websense and SmartFilter.

How do you configure Cisco IOS URL filtering?

To configure Cisco IOS URL filtering, you need to have a good understanding of firewall rules and URL filtering. Once you have your router registered with Trend Micro's system, the summary of steps to configure the new Trend Micro URL Filtering in the Cisco IOS is:

  • Configure Class Maps for Local URL Filtering
  • Configure Class Maps for Trend Micro URL Filtering
  • Configure Parameter Maps for Trend Micro URL Filtering
  • Configure URL Filtering Policies
  • Attach a URL Filtering Policy

For samples of the IOS commands and configuration examples of all the third-party URL filtering options, see Cisco's Subscription-based IOS Content Filtering page.

Conclusion

By using the Cisco IOS Filter Internet URL filtering feature, you can easily keep unwanted Internet content requests from coming into your network. Web content filtering is becoming more of a requirement for businesses of all sizes in order to protect company liability and to maintain employee productivity.

What are you using for content filtering on your network? Are you currently using Cisco's subscription-based feature?

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Editor's Picks

Free Newsletters, In your Inbox