Cisco

Filter Web content with Cisco IOS routers

Today, filtering content at many companies isn't just optional; it is a legal requirement and something you have to do to prevent employees from getting into trouble. David Davis explains how Cisco IOS routers can filter Web content with the help of outside services.

To protect your network and end users from malicious or inappropriate Web content, you can use subscription-based Cisco IOS content filtering. This was first integrated into IOS 12.2(15)T and offered through third-party companies, SmartFilter (previously N2H2) and Websense. Just this year, with IOS 12.4(15)XZ and 12.4(20)T, the Cisco IOS now also integrates with Trend Micro's URL Filtering service.

If you want to take advantage of this feature, you should first make sure that your router's IOS supports it. To verify your software image, please see my article covering the Cisco IOS Feature Navigator.

Of course, besides the proper IOS, you must register with one of these third-party companies and obtain their URL filtering service. With Trend Micro's option, you register your router with the Trend Router Provisioning Server (TRPS). Please see the Prerequisites for Cisco Subscription-based IOS Content Filtering for further information.

Why rely on URL filtering?

As network admins, we don't want to spend our time policing users' Web content. For that reason, an Internet filtering service is a convenience. In my case, when I implemented Web filtering services in the past, I was always happy to be able to say to a complaining user, "It's the Web filtering service that said your XYZ site was not allowed."

By implementing URL filtering, you can use these third-party companies to filter out malicious or inappropriate Internet traffic from your end users. Besides just "turning it on," you will also have some control over how this works -- for particular sites and users.

Figure A

Cisco URL filtering

Graphic courtesy of Cisco Systems Subscription-based IOS Content Filtering
As you can see in Figure A, the end user's URL request interacts with the Trend Router Provisioning Server (TRPS), which will allow or deny access based on the policy that you have set up. When the user types in a URL, the service performs a lookup via your policy. If it is allowed, then the user can continue to the destination; if not, then the user is blocked from that URL address.

Cisco filtering options

  • White lists: (trusted domain names) You can set up specific domain names that you will allow to go through your router. Ex: www.techrepublic.com
  • Black lists: (untrusted domain names) You can also set up domain names that you are not allowing on your router. This feature will also cache this information on your router for your review. Ex: www.badsite.com
  • Blocked keyword lists: You can also set a URL block string or keyword, such as *www.parrot.* or *rockbaby* In this case, if it sees the word "rockbaby," it will block the whole address and not even go to the TRPS server.
  • Cached recent requests: This feature will allow you to save recent requests on your router so there is no need to have them go through the TRPS process each time the user requests it.
  • Packet buffering: This feature allows you the ability to store URL information while waiting for the look-up process to complete. This is a great feature to keep your routers from being overloaded with HTTP requests. Although the response default is 200, you can change it. This feature also allows third-party filter servers like Websense and SmartFilter.

How do you configure Cisco IOS URL filtering?

To configure Cisco IOS URL filtering, you need to have a good understanding of firewall rules and URL filtering. Once you have your router registered with Trend Micro's system, the summary of steps to configure the new Trend Micro URL Filtering in the Cisco IOS is:

  • Configure Class Maps for Local URL Filtering
  • Configure Class Maps for Trend Micro URL Filtering
  • Configure Parameter Maps for Trend Micro URL Filtering
  • Configure URL Filtering Policies
  • Attach a URL Filtering Policy

For samples of the IOS commands and configuration examples of all the third-party URL filtering options, see Cisco's Subscription-based IOS Content Filtering page.

Conclusion

By using the Cisco IOS Filter Internet URL filtering feature, you can easily keep unwanted Internet content requests from coming into your network. Web content filtering is becoming more of a requirement for businesses of all sizes in order to protect company liability and to maintain employee productivity.

What are you using for content filtering on your network? Are you currently using Cisco's subscription-based feature?

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

16 comments
BALTHOR
BALTHOR

The Internet is just a file in a Government memory bank.

ddavis
ddavis

I am curious to hear from our readers, what Web Content / URL Filtering solution do you use? I hope you found the article helpful! -David Davis

Mike.Wilder
Mike.Wilder

How do these URL filtering services compare with free services like OpenDNS?

wwizzarrd
wwizzarrd

I have used TrustPort Internet Gateway for quite some time and I have been absoulutely content with it. They call it TrustPort Net Gateway now, see www.trustport.com for details. Don't know why they changed the name... Anyway, the functionality is the important thing. The gateway works not only as a web content filtering engine but also as an anti-spam and anti-virus filter for e-mail communication and anti-virus plus anti-phishing filter for web surfing and downloading. They have some twenty plus categories of web content defined, we are usually blocking warez and spyware categories and it just rocks! It also has a passive mode where you do not block these sites but you log the visits.

a2makarov
a2makarov

For example, we use "SmartFilter" installed on a Windows 2003 ISA server claster. It's OK to use this kind of filtering for small to medium businesses. When we talk about big companies I think it's not applicable. 1. It does add more load to the router's CPU and memory 2. It's unmanageable when there are more then 100 routers in you network. 3. It doesn't provide enough reporting

bobbycornwell
bobbycornwell

We use the SonicWALL solution. We have over 2500 users and have policies created from AD and we have 64 categories. We also have proxy sites blocked, applications blocked, and the new beta code we are testing gives us our own customized block page. Also- we have no cost per user!!!!! That was our biggest problem with Websense. Also- Trend did not hold up against the SonicWALL solution. We tried it for a month. To costly to maintain. SonicWALL has everything included at one bundled price... Plus they give you support.

wbaltas
wbaltas

We are using websense, but we are also looking for something else at this time. I find websense far too expensive for what we get. The interface is not as intuitive as it should be so only a couple of us know how to use this product. And have I mentioned the cost. The biggest advantage websense has over similar products is its reporting engine. So far I've looked at barracuda, st bernard, and etechnologies and none of these can beat the websense reports. I'll be evaluating iron port next, and if that fails smartfilter.

nhahajn
nhahajn

We are currently using 7.0, they've made a vast improvment to the admin interface.

mtnman28715
mtnman28715

We use a Websense Enterprise server integrated with the ASA 5520.

bearsaxman
bearsaxman

I use OpenDNS. It's free and super easy. Configure your DNS server to forward requests to 208.67.222.222 and 208.67.220.220, then set up your account on OpenDNS. Use extended ACLs to block outbound DNS and you're good to go. ! ACL Example access-list 110 permit tcp host DNS.SVR.IP.ADD host 208.67.222.222 eq 53 access-list 110 permit udp host DNS.SVR.IP.ADD host 208.67.222.222 eq 53 access-list 110 permit tcp host DNS.SVR.IP.ADD host 208.67.220.220 eq 53 access-list 110 permit udp host DNS.SVR.IP.ADD host 208.67.220.220 eq 53 access-list 110 deny tcp any any eq 53 access-list 110 deny udp any any eq 53

wleichter
wleichter

As a vendor in the space (I work for Websense) I'll give your our perspective. URL filtering alone has become table-stakes in web security. The established "known" web is well covered by numerous URL databases. The challenge is with more dynamic Web 2.0 sites (where content is constantly changing) and with the millions of new sites that appear daily. That's where you need vendors that invest in advanced technology to automatically categorize content and detect the latest malware threats.

rkavanaugh
rkavanaugh

We've been using Websense for 2 years. Good product with the flexibility to target certain users for full freedom or no access to the web. It also blocks protocols like IM or iTunes, etc. And believe it or not, with the Express Edition, I finally had a use for one of those old hubs from our storage boxes!

wleichter
wleichter

I work on the product team at Websense. You mention that our interface is not intuitive - that's true with our v6.x and older. But with v7 we've completely redesigned the interface - all web-based, task-based UI, nice security dashboard. And we've added more reporting capabilities as well. Here's a link if you'd like more info: http://www.websense.com/site/buzzroom/featuredstories/v7Upgrade.html

mtnman28715
mtnman28715

This is a great free service and very effective.

wbaltas
wbaltas

No, I didn't know version 7 had released (tell your sales staff to contact their enterprise customers, because someone is not doing his job). I'm just starting my Ironport eval, but I'll look at Websense 7 before I make up my mind. I really like websense reporting and technical support is one of the best I've worked with in recent years. Bill Baltas

wratholix
wratholix

Efficient for enterprise requirements :) I'll vouch for Websense. Here at our site we really enjoy having migrated to Websense last year and done away with the ISA server setups.

Editor's Picks