Cisco Content Security and Control SSM Administrator Guide Version 6.6
Configuring Web (HTTP) and File Transfer (FTP) Traffic
Downloads: This chapterpdf (PDF - 716.0KB) The complete bookPDF (PDF - 7.8MB) | Feedback

Configuring Web (HTTP/HTTPS) and File Transfer (FTP) Traffic

Table Of Contents

Configuring Web (HTTP/HTTPS) and File Transfer (FTP) Traffic

Default Web and FTP Scanning Settings

Downloading Large Files

Deferred Scanning

Spyware and Grayware Detection and Cleaning

Detecting Spyware and Grayware

Scanning Webmail

File Blocking

URL Blocking

Blocking from the HTTP Local List Tab

Blocking from the HTTPS Local List Tab

Block List Exceptions

URL Blocking Notifications

URL Filtering

URL Filtering Categories

Filtering Rules, Exceptions, and Time

Web Reputation

Anti-Phishing Using Web Reputation

Web Reputation Database

Settings

Security Sensitivity Level

Feedback Option

HTTP Exceptions

HTTPS Exceptions

URL Blocking and Filtering Policies for Users/Groups

Add/Edit URL Blocking Policies for Users/Groups

Prerequisites

Selecting a Template

Creating Accounts

Allowing or Blocking Specific URLs

Enabling a User/Group Blocking Policy

Editing a User/Group Blocking Policy

Adding or Editing URL Filtering Policies for Users/Groups

Prerequisites

Selecting a Template

Creating Accounts

Adding User Group Filtering Policy Rules

Specifying Exceptions to the User Group Filtering Policy

Editing a User/Group Filtering Policy

Deleting a User Group Blocking or Filtering Policy


Configuring Web (HTTP/HTTPS) and File Transfer (FTP) Traffic


This chapter describes how to make HTTP/HTTPS and FTP traffic configuration updates, and includes the following sections:

Default Web and FTP Scanning Settings

Downloading Large Files

Spyware and Grayware Detection and Cleaning

Scanning Webmail

File Blocking

URL Blocking

URL Filtering

Web Reputation

URL Blocking and Filtering Policies for Users/Groups

Default Web and FTP Scanning Settings

After installation, your HTTP and FTP traffic is scanned by default for viruses, worms, and Trojans. Malware, such as spyware and other grayware, require a configuration change before they are detected. If you have a Plus License, you can block or allow URLs classified as phishing sites during work or leisure time.


Note Some categories, such as pornography, are blocked by default. Customers should review the categories blocked by default and make the appropriate adjustments. With a Plus License for URL filtering and blocking, URLs can be blocked with both global and/or user/group policies.


Table 4-1 summarizes the web and file transfer configuration settings, and the default values that are in effect after installation.

Table 4-1 Default Web and FTP Scanning Settings 

Feature
Default Setting

HTTP scanning of file downloads

Enabled using All Scannable Files as the scanning method.

Webmail scanning

Configured to scan Webmail sites for Yahoo, AOL, MSN Hotmail, and Google.

File transfer (FTP) scanning of file transfers

Enabled using All Scannable Files as the scanning method.

HTTP compressed file handling for downloading from the web

File transfer (FTP) compressed file handling for file transfers from an FTP server

Configured to skip scanning of compressed files when one of the following is true:

Decompressed file count is greater than 500.

Decompressed file size exceeds 30 MB.

Number of compression layers exceeds three.

Decompressed or compressed file size ratio is greater than 100 to 1.

HTTP and file transfer (FTP) large file handling (no scanning of files larger than a specified size)

Enabled deferred scanning of files larger than a specified size

Configured to skip scanning of files larger than 50 MB.

Configured to enable deferred scanning of files larger than 2 MB.

HTTP downloads and file transfers (FTP) for files in which malware is detected

Clean the downloaded file or file in which the malware was detected.

If uncleanable, delete the file.

HTTP downloads and file transfers (FTP) for files in which spyware or grayware is detected

Files are deleted.

HTTP downloads when malware is detected

An notification is inserted in the browser, stating that Trend Micro InterScan for CSC SSM has scanned the file you are attempting to transfer, and has detected a security risk.

File transfers (FTP) notification

The FTP reply has been received.


These default settings give you some protection for your web and FTP traffic after you install CSC SSM. You may change these settings. For example, you may want to scan by the "Specified file extensions" option instead of by the "All Scannable Files" option for malware detection. Before making changes, review the online help for more information about these selections.

After installation, you may want to update additional configuration settings to obtain the maximum protection for your web and FTP traffic. You must configure these additional features if you purchased the Plus License, which entitles you to receive web reputation, URL blocking, and URL filtering functionality (for both global and user/group policies).

Downloading Large Files

The Target tabs on the HTTP Scanning and FTP Scanning windows allow you to define the size of the largest download you want scanned. For example, you might specify that a download smaller than 20 MB is scanned, but a download larger than 20 MB is not scanned.

In addition, you can:

Specify large downloads to be delivered without scanning, which may introduce a security risk.

Specify that downloads greater than the specified limit are deleted.

By default, the CSC SSM software specifies that files smaller than 50 MB are scanned, and files 50 MB and larger are delivered without scanning to the requesting client.

Deferred Scanning

The deferred scanning feature is not enabled by default. When enabled, this feature allows you to begin downloading data without scanning the entire download. Deferred scanning allows you to begin viewing the data without a prolonged wait while the entire body of information is scanned.


Caution When deferred scanning is enabled, the unscanned portion of information can introduce a security risk.

If deferred scanning is not enabled, the entire content of the download must be scanned before it is presented to you. However, some client software may time out because of the extra time required to collect sufficient network packets to compose complete files for scanning. Table 4-1 summarizes the advantages and disadvantages of each method.

Table 4-2 Deferred Scanning Safety Comparison

Method
Advantage
Disadvantage

Deferred scanning enabled

Prevents client timeouts.

May introduce a security risk.

Deferred scanning disabled

Safer. The entire file is scanned for security risks before being presented to you.

May result in the client timing out before the download is completed.



Note Traffic moving via HTTPS cannot be scanned for viruses and other threats by the CSC SSM software.


When the file is eventually scanned by CSC SSM, it may be found to contain malicious content. If so, CSC SSM takes following action:

Sends a notification message, provided notifications are enabled.

Logs the event details.

Automatically blocks the URL from other users for four hours after malicious code detection. Access to the URL is restored after four hours elapses, and content from it will be scanned.

If CSC SSM has been registered to a Damage Cleanup Services (DCS) server, a DCS clean-up request is issued under one of the following conditions:

Someone (usually using a client PC) attempts to access a URL classified as Spyware, Disease Vector, or Virus Accomplice through URL Filtering (requires a Plus License).

Someone (usually using a client PC) uploads a virus classified as a "worm."

DCS connects to the client to clean the file. For more information about DCS, see Appendix D, "Using CSC SSM with Trend Micro Damage Cleanup Services."

Spyware and Grayware Detection and Cleaning

Grayware is a category of software that may be legitimate, unwanted, or malicious. Unlike threats such as viruses, worms, and Trojans, grayware does not infect, replicate, or destroy data, but it may violate your privacy. Examples of grayware include spyware, adware, and remote access tools.

Spyware or grayware creates two main problems to network administrators. It can compromise sensitive company information and reduce employee productivity by causing infected machines to malfunction. In addition to detecting and blocking incoming files that may install spyware, CSC SSM can prevent installed spyware from sending confidential data via HTTP.

If a client tries to access a URL classified as Spyware, Disease Vector, or Virus Accomplice, or a client PC uploads a virus classified as a worm as a web mail attachment, CSC SSM can send a request to Trend Micro DCS to clean the infected machine. DCS reports the outcome of the cleaning attempt (as either successful or unsuccessful) to the CSC SSM server.

If the cleaning attempt is not successful, the client's browser is redirected to a special DCS-hosted cleanup page the next time the browser tries to access the Internet. This page contains an ActiveX control that again tries to clean the infected machine. If access permissions were the reason for the first failed cleaning attempt, the ActiveX control may be successful where cleaning via remote logon was unsuccessful.

For more information about DCS, see Appendix D, "Using CSC SSM with Trend Micro Damage Cleanup Services.".


Note To avoid excessive cleanup attempts, CSC SSM only sends requests to clean up a target IP address once every four hours by default. If the client at that IP address continues to perform suspicious actions, then no further cleanup requests will be issued until this lockout period has expired. You can modify the length of this lockout period by going to /opt/trend/isvw/config/web/intscan.ini on the CSC SSM and changing the value of the [DCS]/cleanup_lockout_hours field. The value in this field is interpreted as the number of hours, and partial values (such as 0.5) are supported.


Detecting Spyware and Grayware

Spyware or grayware detection is not enabled by default. To detect spyware and other forms of spyware and other grayware in your web and file transfer traffic, you must configure this feature in the following windows:

Web (HTTP/HTTPS) > Scanning > HTTP Scanning/Target

File Transfer (FTP) > Scanning > FTP Scanning/Target

To configure web scanning, do the following:

On the Configuration > Trend Micro Content Security > Web window in ASDM, click the Configure Web Scanning link.

To configure FTP scanning, do the following:

On the Configuration > Trend Micro Content Security > File Transfer window in ASDM, click the Configure File Scanning link.

For more information, see the "Enabling SMTP and POP3 Spyware and Grayware Detection" section on page 3-4 and the online help for these windows.

Scanning Webmail

As specified in Table 4-1, web mail scanning for Yahoo, AOL, MSN Hotmail, and Google is already configured by default.


Caution If you elect to scan only webmail, HTTP scanning is restricted to the sites specified on the Webmail Scanning tab of the Web (HTTP/HTTPS) > Scanning > HTTP Scanning window. Other HTTP traffic is not scanned. Configured sites are scanned until you remove them from scanning by clicking the Trashcan icon.

To add additional sites, perform the following steps:


Step 1 On the Configuration > Trend Micro Content Security > Web window in ASDM, click the Configure Web Scanning link.

The Target tab of the HTTP Scanning window appears.

Step 2 Click the Webmail Scanning tab.

Step 3 In the Name field, enter a name for the Webmail site.

Step 4 In the Match field, enter the exact website name/IP address, a URL keyword, and a string.

Step 5 Choose the appropriate radio button to correspond with the text entered in the Match field.


Note Attachments to messages that are managed via web mail are scanned.


Step 6 Click Add.

Step 7 Click Save to update your configuration.


For more information about how to configure additional web mail sites for scanning, see the online help.

File Blocking

This feature is enabled by default; however, you must specify the types of files you want blocked. File blocking helps you enforce your organization policies for Internet use and other computing resources during work time. For example, your company does not allow downloading of music, both because of legal issues as well as employee productivity issues.

To configure file blocking, perform the following steps:


Step 1 To block downloads over HTTP, on the Configuration > Trend Micro Content Security > Web window in ASDM, click the Configure File Blocking link to display the File Blocking window.

Step 2 To block downloads over FTP, on the Configuration > Trend Micro Content Security > File Transfer window in ASDM, click the Configure File Blocking link.

Step 3 To block the transferring of music files, on the Target tab of the File Blocking window, check the Audio/Video check box, as shown in Figure 4-1.

By default, compressed music files will be blocked. To disable file blocking for compressed files containing true file types, check the No radio button for the "Do you also want to block compressed files containing the selected file type(s)" option, as shown in Figure 4-1.


Note File blocking for FTP does not support the blocking of compressed files containing true file types.


Figure 4-1 Enable File Blocking

Step 4 You can specify additional file types by file name extension. To enable this feature, check the Block specified file extensions check box.

Step 5 Then enter additional file types in the File extensions to block field, and click Add.

Step 6 Verify the list of blocked file extensions. To remove any unwanted entries, select the file extension type and click Delete.

For more information about file blocking and for information about deleting file extensions you no longer want to block, see the online help.

Step 7 To view the default notification that displays in the browser or FTP client when a file blocking event is triggered, click the Notifications tab of the File Blocking window.

Step 8 To customize the text of these messages, select and redefine the default message. An optional notification to the administrator is available for HTTP file-blocking events, but is turned off by default. Check the Send the following message check box to activate the notification.

Step 9 Click Save when you are finished to update the configuration.


URL Blocking

This section describes the URL blocking feature, and includes the following topics:

Blocking from the HTTP Local List Tab

Blocking from the HTTPS Local List Tab

URL Blocking Notifications

The URL blocking feature helps you prevent employees from accessing prohibited websites. For example, you may want to block some sites because policies in your organization prohibit access to dating services, online shopping services, or offensive sites. URL blocking policies, set by going to Web (HTTP/HTTPS) > Global Settings > URL Blocking, affect all users. URL blocking policies can also be set for specific users or groups. For more information, see the "URL Blocking and Filtering Policies for Users/Groups" section.


Note This feature requires the Plus License.

HTTPS filtering is only supported when the ASA is running Version 8.4(2) or later.


You may also want to block sites that are known for perpetrating fraud, such as phishing. Phishing is a technique used by criminals who send e-mail messages that appear to be from a legitimate organization, which request revealing private information such as bank account numbers. Figure 4-2 shows an example of an e-mail message used for phishing.

Figure 4-2 Example of Phishing

By default, URL blocking is enabled (including blocking URLs based on user group policies).

Blocking from the HTTP Local List Tab

To configure URL blocking from the Via Local List tab, perform the following steps:


Step 1 On the Configuration > Trend Micro Content Security > Web window in ASDM, click Configure URL Blocking to display the URL Blocking window. (See Figure 4-3.)

Step 2 On the HTTP Local List tab of the URL Blocking window, type the URLs you want to block in the Match field. You can specify the exact website name/IP address, a URL keyword, or a string.

See the online help for more information about formatting entries in the Match field.

Step 3 To move the URL to the Block List, click Block after each entry. To specify your entry as an exception, click Do Not Block to add the entry to Block List Exceptions. Entries remain as blocked or exceptions until you remove them.


Note You can also import a block and exception list. The imported file must be in a specific format. See the online help for instructions.



Figure 4-3 URL Blocking Window

Blocking from the HTTPS Local List Tab

To configure URL blocking from the HTTPS Local List tab, perform the following steps:


Step 1 On the Configuration > Trend Micro Content Security > Web window in ASDM, click Configure URL Blocking to display the URL Blocking window.

Step 2 Check the Include HTTPS blocking check box to include HTTPS URL blocking

Step 3 On the HTTPS Local List tab of the URL Blocking window, type the domains or IP addresses you want to block. You can specify the exact domain name/IP address as these examples show: example.com or 1.1.1.1.

See the online help for more information about formatting entries in this field.

Step 4 To move the URL to the Block List, click Block after each entry. To specify your entry as an exception, click Do Not Block to add the entry to Block List Exceptions. Entries remain as blocked or exceptions until you remove them.


Note You can also import a block and exception list. The imported file must be in a specific format. See the online help for instructions.


After you have created a list of blocked URLs, they will appear in the Block List area. You can select individual URLs to remove them from the list, or select them all and click Remove All.

Step 5 Be sure to click Save to preserve your work before exiting the screen.


Important Note

URL filtering and URL blocking are determined according to the IP address or domain name of the website. If you use the domain name to perform URL filtering or URL blocking, the browser must support the Server Name Indication (SNI) extension of TLS. As a result, you must make sure that you have enabled TLS and that your browser supports SNI. The following lists the browsers that support the SNI extension and that the CSC SSM also supports:

Browser
Version

Windows IE

7.0 or later on Vista or higher. Does not work on XP with IE 8.0.

Mozilla Firefox

2.0 or later.

Google Chrome

Vista or higher. XP on Chrome 6 or later. OSX 10.5.7 or higher on Chrome 5.0.342.1 or later.


If you use a browser that does not support SNI (for example, IE on the Windows XP series), the IE browser does not send the domain name in the SSL handshake of an HTTPS request. The CCS SSM uses the IP address of the HTTPS site to perform categorization instead of the domain name. As a result, the behavior of the IE browser might be different from that of other browsers that support SNI, such as Firefox, which uses the domain name to perform categorization.

Block List Exceptions

You can also create a list of URLs that you do not wish to block or receive filtering by CSC. This list is populated by clicking Do Not Block in the previous procedures.

URL Blocking Notifications

A configurable message informs the end user when CSC SSM detects an attempt to access a blocked URL via HTTP. A default notification message is provided, but other text and variables can be used to create a custom message. URL blocking and URL filtering use the same notification message.

Figure 4-4 URL Blocking and Filtering Default Notification Message

To configure the notification message, perform the following steps:


Step 1 On the Configuration > Trend Micro Content Security > Web window in ASDM, click Configure URL Blocking to display the URL Blocking window.

Step 2 On the Notification tab of the URL Blocking window, type your custom message.

Step 3 Use the variables or tokens listed in the online help to customize your message.

Step 4 Click Restore Default to return to the default message.

Step 5 Click Save to save your work in this screen.


URL Filtering

The URLs defined on the URL blocking windows described previously are either always allowed or always disallowed. The URL filtering feature, however, allows you to filter URLs in categories, which you can schedule to allow access during certain times, such as leisure and work time. URL filtering policies set through Web (HTTP/HTTPS) > Global Settings > URL Filtering affect all users. URL filtering policies can also be set for specific users or groups. For more information, see the "URL Blocking and Filtering Policies for Users/Groups" section.


Note This feature requires the Plus License.

Because URL filtering is based on the IP or domain name of a website, sometimes, the categorization result of the IP address and domain name of the same website could be different.

Make sure that your browser can support the use of domain names to do categorization. For more information, see the "Blocking from the HTTPS Local List Tab" section.

HTTPS filtering is only supported when the ASA is running Version 8.4(2) or later.


URL categories are organized into the URL filtering groups shown in Table 4-3.

Table 4-3 Grouping Definition for URL Categories 

Category Group
Description

Adult

Sites that may be considered inappropriate for children

Business

Sites related to business, employment, or commerce

Communications and Search

Sites that provide tools and services for online communications and search

General

Sites not classified in other category groups, including unrated sites

Internet Security

Potentially harmful sites, including sites known to have malware

Lifestyle

Sites about lifestyle preferences, including sexual, political, or religious orientations, as well as recreation and entertainment

Network Bandwidth

Sites that offer services that can significantly impact available network bandwidth



Note For URL filtering to work correctly, the CSC SSM must be able to send HTTP requests to the Trend Micro service. If an HTTP proxy is required, configure the proxy setting by choosing Update > Proxy Settings.


URL Filtering Categories

Table 4-4 lists definitions of the URL filtering categories and the assigned group.

Table 4-4 URL Filtering Category Definitions  

Category Group
Category Type
Category Definition

Adult

Abortion

Sites that promote, encourage, or discuss abortion, including sites that cover moral or political views on abortion

Adult

Adult/Mature Content

Sites with profane or vulgar content generally considered inappropriate for minors; includes sites that offer erotic content or ads for sexual services, but excludes sites with sexually explicit images

Adult

Alcohol/Tobacco

Sites that promote, sell, or provide information about alcohol or tobacco products

Adult

Gambling

Sites that promote or provide information on gambling, including online gambling sites

Adult

Illegal Drugs

Sites that promote, glamorize, supply, sell, or explain how to use illicit or illegal intoxicants

Adult

Illegal/Questionable

Sites that promote and discuss how to perpetrate "nonviolent" crimes, including burglary, fraud, intellectual property theft, and plagiarism; includes sites that sell plagiarized or stolen materials

Adult

Intimate Apparel/ Swimsuit

Sites that sell swimsuits or intimate apparel with models wearing them

Adult

Marijuana

Sites that discuss the cultivation, use, or preparation of marijuana, or sell related paraphernalia

Adult

Nudity

Sites showing nude or partially nude images that are generally considered artistic, not vulgar or pornographic

Adult

Pornography

Sites with sexually explicit imagery designed for sexual arousal, including sites that offer sexual services

Adult

Sex Education

Sites with or without explicit images that discuss reproduction, sexuality, birth control, sexually transmitted disease, safe sex, or coping with sexual trauma

Adult

Tasteless

Sites with content that is gratuitously offensive and shocking; includes sites that show extreme forms of body modification or mutilation and animal cruelty

Adult

Violence/Hate/ Racism

Sites that promote hate and violence; includes sites that espouse prejudice against a social group, extremely violent and physically dangerous activities, mutilation and gore, or the creation of destructive devices

Adult

Weapons

Sites about weapons, including their accessories and use; excludes sites about military institutions or sites that discuss weapons as sporting or recreational equipment

Business

Auctions

Sites that serve as venues for selling or buying goods through bidding, including business sites that are being auctioned

Business

Brokerage/Trading

Sites about investments in stocks or bonds, including online trading sites; includes sites about vehicle insurance

Business

Business/Economy

Sites about business and the economy, including entrepreneurship and marketing; includes corporate sites that do not fall under other categories

Business

Financial Services

Sites that provide information about or offer basic financial services, including sites owned by businesses in the financial industry

Business

Job Search/Careers

Sites about finding employment or employment services

Business

Real Estate

Sites about real estate, including those that provide assistance selling, leasing, purchasing, or renting property

Business

Shopping

Sites that sell goods or support the sales of goods that do not fall under other categories; excludes online auction or bidding sites

Communications and Search

Blogs/Web Communications

Blog sites or forums on varying topics or topics not covered by other categories; sites that offer multiple types of web-based communication, such as e-mail or instant messaging

Communications and Search

Chat/Instant Messaging

Sites that provide web-based services or downloadable software for text-based instant messaging or chat

Communications and Search

E-mail Related

Sites that provide e-mail services, including portals used by companies for web-based e-mail

Communications and Search

Infrastructure

Content servers, image servers, or sites used to gather, process, and present data and data analysis, including web-based analytics tools and network monitors

Communications and Search

Internet Telephony

Sites that provide web services or downloadable software for Voice over Internet Protocol (VoIP) calls

Communications and Search

Newsgroups

Sites that offer access to Usenet or provide other newsgroup, forum, or bulletin board services

Communications and Search

Search Engines/ Portals

Search engine sites or portals that provide directories, indexes, or other retrieval systems for the web

Communications and Search

Social Networking

Sites devoted to personal expression or communication, linking people with similar interests

Communications and Search

Web Hosting

Sites of organizations that provide top-level domains or web hosting services

General

Computers/Internet

Sites about computers, the Internet, or related technology, including sites that sell or provide reviews of electronic devices

General

Education

School sites, distance learning sites, and other education-related sites

General

Government/Legal

Sites about the government, including laws or policies; excludes government military or health sites

General

Health

Sites about health, fitness, or well-being

General

Military

Sites about military institutions or armed forces; excludes sites that discuss or sell weapons or military equipment

General

News/Media

Sites about the news, current events, contemporary issues, or the weather; includes online magazines whose topics do not fall under other categories

General

Political

Sites that discuss or are sponsored by political parties, interest groups, or similar organizations involved in public policy issues; includes non-hate sites that discuss conspiracy theories or alternative views on government

General

Reference

General and specialized reference sites, including map, encyclopedia, dictionary, weather, how-to, and conversion sites

General

Translators (circumvent filtering)

Online page translators or cached Web pages (used by search engines), which can be used to circumvent proxy servers and Web filtering systems

General

Unrated

Sites that have not been classified under a category

General

Vehicles

Sites about motorized transport, including customization, procurement of parts and actual vehicles, or repair services; excludes sites about military vehicles

Internet Security

Adware

Sites with downloads that display advertisements or other promotional content; includes sites that install browser helper objects (BHOs)

Internet Security

Cookies

Sites that send malicious tracking cookies to visiting web browsers

Internet Security

Dialers

Sites with downloads that dial into other networks or premium-rate telephone numbers without user consent

Internet Security

Disease Vector

Sites that directly or indirectly facilitate the distribution of malicious software or source code

Internet Security

Hacking

Sites that provide downloadable software for bypassing computer security systems

Internet Security

Joke Program

Sites that provide downloadable "joke" software, including applications that can unsettle users

Internet Security

Made for AdSense sites (MFA)

Sites that use scraped or copied content to pollute search engines with redundant and generally unwanted results

Internet Security

Malware/Virus Accomplice

Sites used by malicious programs, including sites used to host upgrades or store stolen information

Internet Security

Password Cracking Application

Sites that distribute password cracking software

Internet Security

Phishing

Fraudulent sites that mimic legitimate sites to gather sensitive information, such as user names and passwords

Internet Security

Potentially Malicious Software

Sites that contain potentially harmful downloads

Internet Security

Proxy Avoidance

Sites about bypassing proxy servers or web filtering systems, including sites that provide tools for that purpose

Internet Security

Remote Access Program

Sites that provide tools for remotely monitoring and controlling computers

Internet Security

Spam

Sites whose addresses have been found in spam messages

Internet Security

Spyware

Sites with downloads that gather and transmit data from computers owned by unsuspecting users

Internet Security

Web Advertisement

Sites dedicated to displaying advertisements, including sites used to display banner or popup ads

Lifestyle

Activist Groups

Sites that promote change in public policy, public opinion, social practice, economic activities, or economic relationships; includes sites controlled by service, philanthropic, professional, or labor organizations

Lifestyle

Alternative Journals

Online equivalents of supermarket tabloids and other fringe publications

Lifestyle

Arts/Entertainment

Sites that promote or provide information about movies, music, non-news radio and television, books, humor, or magazines

Lifestyle

Cult/Occult

Sites about alternative religions, beliefs, and religious practices, including those considered cult or occult

Lifestyle

Cultural Institutions

Sites controlled by organizations that seek to preserve cultural heritage, such as libraries or museums; also covers sites owned by the Boy Scouts, the Girl Scouts, Rotary International, and similar organizations

Lifestyle

For Kids

Sites designed for children

Lifestyle

Games

Sites about board games, card games, console games, or computer games; includes sites that sell games or related merchandise

Lifestyle

Gay/Lesbian

Sites about gay, lesbian, transgender, or bisexual lifestyles

Lifestyle

Humor/Jokes

Sites about motorized transport, including customization, procurement of parts and actual vehicles, or repair services; excludes sites about military vehicles

Lifestyle

Personal Websites

Sites maintained by individuals about themselves or their interests; excludes personal pages in social networking sites, blog sites, or similar services

Lifestyle

Personals/Dating

Sites that help visitors establish relationships, including sites that provide singles listings, matchmaking, or dating services

Lifestyle

Recreation/Hobbies

Sites about recreational activities and hobbies, such as collecting, gardening, outdoor activities, traditional (non-video) games, and crafts; includes sites about pets, recreational facilities, or recreational organizations

Lifestyle

Religion

Sites about popular religions, their practices, or their places of worship

Lifestyle

Restaurants/Dining/ Food

Sites that list, review, discuss, advertise, or promote food, catering, dining services, cooking, or recipes

Lifestyle

Society/Lifestyle

Sites that provide information about life or daily matters; excludes sites about entertainment, hobbies, sex, or sports, but includes sites about cosmetics or fashion

Lifestyle

Sport Hunting and Gun Clubs

Sites about gun clubs or similar groups; includes sites about hunting, war gaming, or paintball facilities

Lifestyle

Sports

Sites about sports or other competitive physical activities; includes fan sites or sites that sell sports merchandise

Lifestyle

Travel

Sites about travelling or travel destinations; includes travel booking and planning sites

Network Bandwidth

Internet Radio and TV

Sites that primarily provide streaming radio or TV programming; excludes sites that provide other kinds of streaming content

Network Bandwidth

Pay to Surf

Sites that compensate users who view certain websites, e-mail messages, or advertisements or users who click links or respond to surveys

Network Bandwidth

Peer-to-Peer

Sites that provide information about or software for sharing and transferring files within a peer-to-peer (P2P) network

Network Bandwidth

Personal Network Storage/File Download Servers

Sites that provide personal online storage, backup, or hosting space, including those that provide encryption or other security services

Network Bandwidth

Photo Searches

Sites that primarily host images, allowing users to share, organize, store, or search for photos or other images

Network Bandwidth

Ringtones/Mobile Phone Downloads

Sites that provide content for mobile devices, including ringtones, games, or videos

Network Bandwidth

Software Downloads

Sites dedicated to providing free, trial, or paid software downloads

Network Bandwidth

Streaming Media/ MP3

Sites that offer streaming video or audio content without radio or TV programming; sites that provide music or video downloads, such as MP3 or AVI files


Filtering Rules, Exceptions, and Time

To configure the URL filtering feature, perform the following steps:


Step 1 On the Web (HTTP/HTTPS) window, click URL Filtering to display the URL Filtering: Global Policy window.

Step 2 Click Enable to enable the URL filtering feature, or accept the default setting, which is enabled.

Step 3 Check the Include HTTPS filtering check box to include HTTPS URL filtering, when appropriate.

Step 4 Check the Include User Group Policies check box to include user group policies, if appropriate.

Step 5 On the Rules tab, review the subcategories listed under each category. (See Figure 4-5.) For example, "Illegal Drugs" is a subcategory of the "Adult" category. If your organization is a financial services company, you may want to filter this category. Check the Illegal Drugs check boxes for Work and Leisure time to enable filtering for sites related to illegal drugs. However, if your organization is a law enforcement agency, you should clear the Illegal Drugs subcategory.

Step 6 For each of the seven groups of categories, specify whether the URLs are blocked, and if so, during work time, leisure time, or both.

Figure 4-5 URL Filtering: Global Policy Rules Tab

Step 7 If you believe a particular URL has been misclassified, you can check the category of the URL and request it be reclassified by clicking the link in the Note section at the bottom of the page.

Step 8 If there are sites within the enabled subcategories that you do not want filtered, click the HTTP Exceptions or the HTTPS Exceptions tabs. (See Figure 4-6 and Figure 4-7.)

Step 9 Type the URLs you want to exclude from filtering in the Match field. You can specify the exact website name or IP address, a URL keyword, and a string.

See the online help for more information about formatting entries in the Match field.


Note You can also import a list of URL filtering exceptions. The imported file must be in a specific format. See the online help for instructions.


Figure 4-6 URL Filtering: Global Policy HTTP Exceptions Tab

Step 10 Click Add after each entry to move it to the "URL to the Do Not Filter the Following HTTP Sites" list. Entries remain as exceptions until you remove them. you can do the same on the HTTPS Exceptions tab, except you can only add domain names or IP addresses. Keywords and strings are not allowed.

Figure 4-7 URL Filtering: Global Policy HTTPS Exceptions Tab

Step 11 Click the Time Allotment tab.

Step 12 Define the days of the week and hours of the day that should be considered work time. Time not designated as work time is automatically designated as leisure time. Figure 4-8 shows 8:00 a.m. through 12:00 a.m. and 1:00 p.m. through 5:00 p.m. as work time.)

For setting work days, check the check box for the days of the week to be designated as work days.

For setting work time, click the hours to be designated as work time.

Figure 4-8

URL Filtering: Global Policy Time Allotment Tab

Step 13 Click Save to update the URL filtering configuration.


Web Reputation

Web reputation guards end-users against emerging web threats. Because a web reputation query returns URL category information (used by URL filtering), CSC SSM does not use a locally stored URL database. Web reputation requires a Plus License.

Web reputation also assigns reputation scores to URLs. For each accessed URL, CSC SSM queries web reputation for a reputation score and then takes the necessary action, based on whether this score is below or above the user-specified sensitivity level.

CSC SSM has a feature that enables the device to automatically provide feedback on infected URLs, which helps improve the web reputation database. If enabled, this feedback includes product name and version, URL, and virus name. (It does not include IP address information, so all feedback is anonymous and protects company information.) Web reputation results are located in the Web Reputation log (choose Logs > Query > Web Reputation) and by clicking the Summary > Web (HTTP/HTTPS) tab.

With Trend Micro web reputation technology (part of the Smart Protection Network), you can perform website scanning at varying levels of protection (low, medium, and high) and add websites to the Exceptions List (yourcompany.com, for example), so that websites can be viewed without scanning or blocking.


Note Preapproving websites must be done carefully. Not scanning or blocking a website could pose a security risk.

HTTPS filtering is only supported when the ASA is running Version 8.4(2) or later.


Anti-Phishing Using Web Reputation

CSC SSM provides anti-phishing through web reputation and URL filtering. Both features require a Plus License.

Phishing sites blocked by URL filtering are blocked by the Phishing category and will give a "Phishing" message.

Phishing sites blocked by web reputation will provide a "low reputation" message.

Web Reputation Database

The web reputation database resides on a remote server. When a user attempts to access a URL, CSC SSM retrieves information about this URL from the web reputation database and stores it in the local cache. Having the web reputation database on a remote server and building the local cache with this database information reduces the overhead on CSC SSM and improves performance.

The web reputation database is updated with the latest security information about web pages. If you believe the reputation of a URL is misclassified or you want to know the reputation of a URL, use the following URL to notify Trend Micro:

http://reclassify.wrs.trendmicro.com/submit-files/wrsonlinequery.asp

Settings

Setting the security sensitivity level prevents users from being misdirected to malicious websites and provides administrators with the ability to set the protection level.

Web reputation settings include specifying the following:

Enabling or disabling web reputation.

Selecting the appropriate security sensitivity level for your company.

(Optional) Providing anonymous feedback on infected URLs to Trend Micro.

Security Sensitivity Level

Upon receiving a web reputation score, CSC SSM determines whether the score is below or above the preferred threshold. The threshold of sensitivity level is defined by the user. Medium is the default sensitivity setting. Trend Micro recommends this setting because it blocks most web threats while not creating many false positives.

To set the sensitivity level, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > Global Settings > Web Reputation > Target tab.

Step 2 Click Enable to enable web reputation, or accept the default setting, which is enabled.

Step 3 Click Include HTTPS filtering to add HTTPS filtering.

Step 4 Specify the URL blocking sensitivity level. Select from the following:

High—Blocks more websites, but risks blocking non-malicious websites.

Medium—Balances risks between High and Low settings (default).

Low—Blocks fewer websites, but risks not blocking potentially malicious websites.

Step 5 Click Save.


Feedback Option

Web reputation scan results can be fed back to an external backend Rating Server. The Feedback option is disabled by default.

To enable the feedback option, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > Global Settings > Web Reputation > Settings tab.

Step 2 Check the Send anonymous feedback on infected URLS to Trend Micro check box.

Step 3 Click Save.


HTTP Exceptions

Listing a website within the web reputation approved list allows CSC SSM to bypass any malicious code scans on the listed site. Web reputation scanning exceptions can be defined by entering the complete website URL or IP address, a URL keyword, a string, or by importing an existing exception list of URLs.


Caution Lack of scanning could cause security holes if a website on the Approved list has been hacked and has had malicious code injected.

To specify web reputation exceptions, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > Global Settings > Web Reputation > HTTP Exceptions tab.

Step 2 Do one of the following:

Enter text in the Match file, specify the match type, and then click Add.


Note The default option is Web site/IP address.


Import the URL approved list. For more information about importing the URL exceptions list, see the "HTTP URL Filtering Settings - URL Filtering Exceptions" online help topic.

Step 3 Click Add.

Step 4 Click Save.


After you have specified a URL as an exception to web reputation, you can include it in web reputation scanning by selecting the URL in the Approved List and clicking Remove to delete it from the list. Click Remove All to delete all URLs in the Approved List.

HTTPS Exceptions

Listing trusted websites within the web reputation approved list allows CSC SSM to bypass any malicious code scans on the listed sites. Web reputation scanning exceptions can be defined by entering the domain, IP address, or by importing an existing exception list.


Caution Lack of scanning could cause security holes if a website on the Approved list has been hacked and has had malicious code injected.

To specify web reputation HTTPS exceptions, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > Global Settings > Web Reputation > HTTPS Exceptions tab.

Step 2 Do the following:

Enter the trusted domain(s) or IP address(es), then click Add.

Import an approved exceptions list. For more information about importing an exceptions list, see the "HTTP URL Filtering Settings - URL Filtering Exceptions" online help topic.

Step 3 Click Add.

Step 4 Click Save.


After you have specified a domain or IP address as an exception to web reputation, you can later include it in web reputation scanning by selecting the IP or domain name in the Approved List and clicking Remove to delete it from the list. Click Remove All to delete all domain names or IP addresses in the Approved List.

URL Blocking and Filtering Policies for Users/Groups

CSC SSM has a policy framework that allows the association of URL filtering and blocking policies to specific groups or individual users based on the user or group identity. This feature includes:

Identification settings

Microsoft Active Directory service support

Policy item management

User/Group-based log and report


Note Both URL filtering and URL blocking require a Plus License.


CSC SSM supports up to 20 URL filtering and blocking policies for users and groups. The Domain Controller Agent software can be deployed on a Domain Controller Server or Windows machine that is on the Intranet. The agent communicates with CSC SSM over a secure, TCP port and works with Microsoft Active Directory.

Before using user/group policies for URL filtering and blocking, enable the following:

Select a method of user/group identification by choosing Administration > Device Settings > User Id Settings. For more information about user ID settings, see the "Configuring User ID Settings" section on page 6-3.

Download and install the Domain Controller Agent. For more information, see the "Installing the Domain Controller Agent" section on page 6-7.

Add the Domain Controller Agent and Domain Controller information. For more information, see the "Adding a Domain Controller Agent or Server to CSC SSM" section on page 6-8.

Enable URL filtering at the global level by choosing Web (HTTP/HTTPS) > Global Settings > URL Filtering, and checking the Include User Group Policies check box.

Enable URL blocking at the global level by choosing Web (HTTP/HTTPS) > Global Settings > URL Blocking, and checking the Include User Group Policies check box.

The All Policies tab on the URL Blocking & Filtering Policies screen displays existing policies and provides the following information:

Policy Type—Lists the policy by type, either Filtering or Blocking

Policy Name—Shows the descriptive name assigned to identify the policy

Status—Indicates if the policy is enabled (green check) or disabled (red check)

Priority—Indicates the order in which the policies will be enforced. For example, if a policy has an exception and has a higher priority than another policy, this policy will override the rules of the lower priority policy. Any global policies configured under URL filtering or URL blocking will always have the lowest priority.

The Policies by User/Group tab offers search capabilities for existing policies. Editing policies is possible from this screen by clicking the policy name.

Add/Edit URL Blocking Policies for Users/Groups

URL blocking is an important tool for managing employee Internet use in your organization. With URL blocking, you can prohibit access to URLs that may distract employees from productive use of their time or may even result in legal liability. The process of adding a blocking policy for groups or users begins with choosing a template and creating an account.

If Global Policy - URL Blocking appears in the list of policies, this policy was configured on the Web (HTTP/HTTPS) > Global Settings > URL Blocking screen. Priority settings can be changed for user and group policy by choosing Web (HTTP/HTTPS) > User Group Policies > URL Blocking & Filtering. Go to the far right column in the table that lists the policies, and click the up and down arrows to adjust the priority. Global policies will always have the lowest priority.

Prerequisites

Before a blocking policy can be added, do the following:

URL blocking must be enabled on the global level by choosing Web (HTTP/HTTPS) > Global Settings > URL Blocking.

A method of user/group identification must be selected by choosing Administration > Device Settings > User ID Settings, and the Domain Controller Agent must be installed and configured. For more information, see the "Configuring User ID Settings" section on page 6-3.

Selecting a Template

To select a template for the first rule of a URL blocking policy, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > User Group Policies > URL Blocking and Filtering > All policies tab.

Step 2 Click Add and select URL Blocking Policy. (See Figure 4-9.)

Figure 4-9 To Add a User Group Policy

Step 3 (Optional) Check the Enable policy check box to have the policy enabled as soon as it is created. (See Figure 4-10.) You can also check the Enable HTTPS filtering option to include the filtering of HTTPS URLs.


Note To enable the policy later, see the "Enabling a User/Group Blocking Policy" section.


Step 4 Go to the Template section of the URL Blocking Policy: Add Policy page.

Step 5 Select one of the following options:

Create a new policy.

Copy from an existing policy. If this option is chosen, use the drop-down list to select the policy to use as a template.

Step 6 Type a descriptive policy name.

Step 7 Select accounts according to the "Creating Accounts" section.

Figure 4-10 Selecting a Template and User ID Method


Creating Accounts

To create accounts, perform the following steps:


Step 1 Select a template according to the "Selecting a Template" section, then create the account.

Step 2 In the Select Accounts section, select the method of user or group identification you will use: LDAP and/or IP address(es). (See Figure 4-10.) This selection must match the user identification method selected by choosing Administration > Device Settings > User ID Settings.


Note If no users or groups display, the Domain Controller Agent may not be correctly configured.


Step 3 To select users, do one of the following:

For LDAP identification, select the radio button for either the entire LDAP list or use the search function to find a specific name or group.

For IP address identification, enter a range of IP addresses, a single IP address, or a host name.

Step 4 Click the username, group name or IP address, and then click Add to add users, groups, or IP addresses to the Selected field.

Step 5 Click Next to continue creating your policy.

Step 6 Continue with the "Step 2: Specify Block Rule via HTTP Local List" page to create a blocking policy as described in the "Blocking from the HTTP Local List Tab" section.

Step 7 Continue with the "Step 3: Specify Block Rule via HTTPS Local List" page to create an HTTPS blocking list as described in the "Blocking from the HTTPS Local List Tab" section.

Step 8 Click Finish.

The new policy displays in the policy list of the All Policies tab.


Allowing or Blocking Specific URLs

Blocking URLs, importing lists of blocked URLs, and exceptions to the blocking list are described in the "Blocking from the HTTP Local List Tab" section and the "Blocking from the HTTPS Local List Tab" section. Format and other descriptions are available in the online help.

URL blocking is implemented in two ways:

You define specific URLs to be blocked (via a local list).

URLs are blocked by the Trend Micro scan engine (via a pattern file).

The "Step 2: Specify Block Rule via HTTP Local List" page and the "Step 3: Specify Block Rule via HTTPS List" page are similar to Figure 4-3 and used in Step 6 and Step 8 of the Creating Accounts procedure. These pages allow you to specify sites that you want to permit or prohibit access to for specific users or groups in your organization via a local list.

Enabling a User/Group Blocking Policy

When the URL blocking function is disabled at the global level, end users can access any domains or URLs from your network via HTTP. When URL blocking is enabled at the global level, all users in your network are prevented from accessing certain domains and URLs. User/group policies allow you to select the domains and URLs that can be viewed by specific users or groups.


Note A URL blocking policy can be enabled at the time of creation or later. For more information, see the "Selecting a Template" section.


To enable a URL blocking policy, perform the following steps:


Step 1 Verify that the URL Bblocking feature is enabled at the global level by choosing Web (HTTP/HTTPS) > Global Settings > URL Blocking.

Step 2 Click the Web (HTTP/HTTPS) > User Group Policies > All Policies tab.

Step 3 Click the name of the policy to be enabled.

Step 4 Check the check box to immediately enable the policy.

Step 5 Click Save.

Step 6 Clear the check box to disable a policy, then click Save.


Editing a User/Group Blocking Policy

To edit a specific user group blocking policy, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > User Group Policies > All Policies tab.

Step 2 Click the blocking policy name.

Step 3 Edit the blocking policy on the Accounts and/or Via Local List tabs.

Step 4 Click Save.


Adding or Editing URL Filtering Policies for Users/Groups

URL filtering for users/groups allows you to filter categories of websites such as "Adult" or "Social," that specific users or groups of users may access. Site classification will vary from one organization to the next, depending on the business being conducted. For example, the subcategory "violence/hate crime" may not be work-related in a manufacturing company, but may be defined as work-related in a news reporting organization.

Some company prohibited sites might always be blocked (on the URL Filtering Rules screen) during both work time and leisure time, but if you want to allow employees to use chat sites during leisure time, you can specify those sites be blocked only during work time.

If a Global Policy - URL Filtering policy already exists, it was configured by choosing Web (HTTP/HTTPS) > Global Settings > URL Filtering and was applied to all users. User or group policy will always have a higher priority than the global policy. Priority settings can be changed for user and group policy by choosing Web (HTTP/HTTPS) > User Group Policies > URL Blocking & Filtering. Go to the far right column in the table that lists the policies, and click the up and down arrows to adjust the priority. Global policies will always have the lowest priority.

Prerequisites

Before a filtering policy can be added, you must:

Enable URL filtering on the global level by choosing Web (HTTP/HTTPS) > Global Settings > URL Filtering.

Select a method of user/group identification by choosing Administration > Device Settings > User ID Settings. For more information, see the "Configuring User ID Settings" section on page 6-3.

Download and install the Domain Controller agent. For more information, see the "Installing the Domain Controller Agent" section on page 6-7.

Add the Domain Controller Agent IP address.

Auto-detect or manually add the Domain Controller Server.

If an HTTP proxy is required, configure the proxy settings by choosing Update > Proxy Settings.


Note For URL filtering to work correctly, the CSC SSM must be able to send HTTP requests to the Trend Micro service.


Selecting a Template

To select a template for the first rule of a URL filtering policy, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > User Group Policies > URL Blocking and Filtering (All policies) tab.

Step 2 Click Add and select URL Filtering Rule.

Step 3 Go to the Template section of the URL Filtering Policy: Add Policy screen, similar to what is shown in Figure 4-10.

Step 4 Select one of the following options:

Create new policy.

Copy from an existing policy. If this option is chosen, use the drop-down list to select the policy to use as a template.

Step 5 Enter a descriptive policy name.

Step 6 Create an account according to the steps in the "Creating Accounts" section.


Creating Accounts

To create accounts, perform the following steps:


Step 1 Select a template according to the steps in "Selecting a Template" section.

Step 2 In the accounts section (similar to what is shown in Figure 4-10), select the method of user or group identification you will use: LDAP or IP address. This selection must match the user identification method selected by choosing Administration > Device Settings > User ID Settings. Both methods of identification (LDAP and IP address) can be used if the identification method is configured correctly.

Step 3 To select users, do one of the following:

For LDAP identification, select the radio button for either the entire LDAP list or use the search function to find a specific name or group.

For IP address identification, enter a range of IP addresses, a single IP address, or a host name.

Step 4 Select the username, group name, IP address or range of IP addresses, then click Add to add users, groups, or IP addresses to the Selected field.

Step 5 Click Next.

Step 6 Continue to the "Step 2: Specify the URL Filtering Rules," the "Step 3: Specify HTTP Exceptions," and the "Step 4: Specify HTTPS Exceptions" screens using the instructions in the "Filtering Rules, Exceptions, and Time" section.

Step 7 Click Finish.

The new policy displays in the policy list of the All Policies tab.


Adding User Group Filtering Policy Rules

This screen allows you to define rules for user or group policies that allow or disallow access to categories, or parts of categories, of URLs during work or leisure time. The categories are as follows:

Computers/Bandwidth

Computers/Harmful

Computers/Communications

Adults

Business

Social

General

For information about how to set your policy rules, see the "Filtering Rules, Exceptions, and Time" section and follow Steps 5 through 7.


Note Work and leisure time parameters are configured in the Web (HTTP/HTTPS) > Global Settings> URL Filtering screen. For more information, see the "Filtering Rules, Exceptions, and Time" section,Step 11. Notification messages are configured in the Global Settings for URL Blocking screen. For more information, see the "URL Blocking Notifications" section.


Specifying Exceptions to the User Group Filtering Policy

The URL Filtering Policy: Add Policy (Step 3: Specify HTTP Exceptions and the Step 4: Specify HTTPS Exceptions) screens, similar to what is shown in Figure 4-6 and Figure 4-7, allow you to identify URLs that are excluded from filtering. For example, you may have elected to assign the subcategory "shopping" to the work-time filtered category. However, your Finance Department needs access to URLs of certain vendors offering online shopping service to purchase office supplies, furniture, software, hardware and other business equipment, airline tickets, and so on. Identify those vendors as exceptions to allow access to their URLs.

For more information about how to set your policy rules, see the "Filtering Rules, Exceptions, and Time" section and follow Steps 8 through 10. Online help also provides detailed instructions.

Editing a User/Group Filtering Policy

To edit a specific user group filtering policy, perform the following steps:


Step 1 Click the Web (HTTP/HTTPS) > User Group Policies > All Policies tab.

Step 2 Click the filtering policy name.

Step 3 Edit the filtering policy on the Accounts, Rules, and/or Exceptions tabs.

Step 4 Click Save.


Deleting a User Group Blocking or Filtering Policy

Policies can be deleted from the Web (HTTP/HTTPS) > User/Group Policies > URL Blocking & Filtering screen.

To delete a policy, perform the following steps:


Step 1 Check the check box at the beginning of the row for the policy to be deleted.

Step 2 Click the Trashcan icon to delete the policy. (See Figure 4-9.)