Configuration Guide: Web Filtering For Branch SRX Series And J Series Configuring Web Filtering on Branch SRX Series Services Gateways and J Series Services Routers. IntroductionWeb filtering or URL filtering, is an established part of any unified threat management (UTM) suite and has been available on firewalls for many years. Although the introduction of Web 2.0 has created new security requirements, URL filtering remains an integral part of any security strategy. In some respects, Web filtering acts as a first line of defense. If a website is a known source of malware, what can be easier than simply blocking access to that site? Additionally, URL filtering provides an easy way to enforce enterprise business policy. ScopeJuniper Networks® Junos® operating system release 9.5 adds UTM support for Juniper Networks J Series Services Routers and select Juniper Networks SRX Series Services Gateways. Web filtering—one of several features including antivirus, anti-spam, and content filtering that make up Juniper Networks UTM suite—provides the ability to permit or deny access to specific URLs individually or based on the category to which they belong. Two different modes of operation are explained first—SurfControl integrated option and Websense redirect feature—and then several configuration examples are provided. Design ConsiderationsWhen deciding to deploy Web filtering, network designers should consider the performance impact of value-added security. Specific product guidelines can be found on J Series Services Routers and SRX Series Services Gateways datasheets. Supported HardwareSoftware RequirementsJunos OS release 9.5 or later Description and Deployment ScenarioThe Juniper Web filtering solution is available in two flavors—an integrated solution that queries an in-the-cloud SurfControl database or a redirect solution that requires a locally managed Websense server. By reading this application note, readers will be able to choose which method best meets their needs and be able to easily configure Web filtering on SRX Series Services Gateways or J Series Services Routers. SurfControl Integrated Web FilteringThe first and most common Web filtering method is to use the in-the-cloud SurfControl server, which stores a database of categories and associated URLs. The SurfControl integrated option requires the purchase of a Juniper Web filtering license. Every time a user tries to access a site, the Juniper gateway (J Series or SRX Series) captures the requested URL and queries the SurfControl database. The server responds with the site’s category, which is then used by a Web filtering policy on the gateway to allow or deny access.
The SurfControl database features:
The current SurfControl server uses the following categories:
After the request returns a category and the gateway policy is evaluated, the SRX Series device for the branch or
J Series router generates a log message indicating the action taken based on the returned category and configured policy. This message can either be locally stored and/or sent to a remote system log server or log collector (like Juniper Networks STRM Series Security Threat Response Managers).
Websense Redirect Web FilteringA second approach is to use the Websense redirect feature. The redirect option does not require a separate Juniper license, but utilizes a local database, which must be purchased separately from Websense. As opposed to querying the SurfControl-hosted server, the services router redirects the URL to the local Websense server, which contains both the category database and the Web filtering policies. The Websense server then compares the URL against its database and returns the result according to its configured policy. The response is then forwarded to the SRX Series device or J Series router, indicating whether the URL is allowed or denied.
The Websense redirect server features:
This solution has the advantage of minimizing processing delays (since the database is locally stored), but requires: The purchase of Websense software and subscription license to keep the database current
Additionally, HTTPS URLs cannot be filtered, since the URL cannot be extracted. White and Black ListsAdministrators can also configure custom URL categories, which can be included in black and white lists that are evaluated on the gateway. All URLs for each category in a black list are denied, while all URLs for each category in a white list are permitted. The processing order is as follows:
Custom categories can also be used as part of the SurfControl integrated solution. In this case, custom categories are added to the gateway policies exactly as predefined categories are added. LicensingAs previously discussed, a license is required to enable the SurfControl integrated solution, but is not required to enable the Websense redirect solution. The installed licenses in a device can be displayed with the “show system license” command.
ConfigurationWeb filtering is part of the UTM feature set. Security policies act as the central reference point for all the traffic forwarded by the gateway. A security policy is used to associate a UTM policy with certain traffic. The UTM policy specifies which Web filtering policy the gateway should use to filter users’ HTTP requests.
In other words, a security policy specifies a UTM policy, which then specifies a Web filtering profile. The reason for the double level of indirection is that the UTM policy controls not only which profile is used for Web filtering, but also other UTM profiles such as antivirus, content filtering, and anti-spam. security { The Web filtering profiles are configured under the [security utm feature-profiles] hierarchy as shown in the following: security { Custom categories are configured under the [security utm custom-objects] hierarchy as shown in the following example. Requests belonging to a user-defined category do not trigger a query to the SurfControl server. security { URL patterns are compared with the requested URL using string comparison. A URL like www.vds.com will match any request to www.vds.com/solutions.aspx or www.juniper.net/products.aspx. A URL can also be more specific, so a URL pattern like www.vds.com/products will match a request to www.vds.com/products/juniper-networks.aspx, but not to www.vds.com. Configuration ExamplesThe following examples illustrate how some of the discussed features are configured. The examples assume that interfaces (with IP addresses), zones, and routing are already configured. Please refer to standard Juniper documentation should you have questions about initial configuration. SurfControl IntegratedFor the network shown in Figure 4, assume that the integrated SurfControl method is chosen and the following categories are to be blocked:
The SurfControl integrated feature is subsequently enabled by creating a Web filtering profile with a default permit action that blocks the categories previously listed. security { Custom Block ListsCustom block lists are now added to the example configuration. Corporate IT has decided that employees are spending too much time on www.badsite.com and www.addictivesite.com and wants to block access to these sites. custom-objects { This category is then used as the black list in a Web filtering policy, which in this case is the policy that was created in the previous example policies { Adding Custom Block MessagesAdministrators can also configure custom messages when sites are blocked. Building on the previous example, the Web filtering profile will be changed so that when a site is blocked the message “The site requested is not a work-related site. Go back to work!” is sent to users. policies { Scheduling PoliciesThe previously configured policies will now be used to block traffic to certain sites, but only during business hours. To create such a schedule, two security policies will be configured—one with Web filtering enabled and the other one without. The “block” policy, when active, will take precedence (by being first in the list) over the “allow” policy and will be enabled only during business hours. security { Websense RedirectThe redirect solution simply requires configuration to redirect traffic to the Websense server. Web filtering policy is configured on the Websense server, not on the SRX Series device or the J Series router, and is not discussed in this application note. policies { The sockets parameter configures how many simultaneous connections (for redundancy and load-balancing purposes) the Junos OS-based gateway can establish with the Websense server. policies { MonitoringBoth the integrated and the redirect solutions provide a command, which displays the number of requests received and the resulting action. show security utm web-filtering statistics ScalabilityThe following are the maximum platform-independent configuration limits for customer categories, white lists and black lists: Table 2: Platform-Independent Scalability Numbers
SummaryThe Web filtering feature introduced in Junos OS 9.5 for SRX Series Services Gateways and J Series Services Routers provide a simple way to permit or deny access to URLs based on easy-to-manage lists or predefined categories. Although this has been a common firewall feature for many years, it still remains an integral part of any security strategy by acting as a first line of defense. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
