Cisco Service Control URL Blacklisting Solution Guide, Release 5.2.x
How to Specify a New Owner for the sce-url-database
How to Configure Write Protection for the sce-url-database
How to Configure Lookup Protection for the sce-url-database
How to Configure the sce-url-database Encryption Key
How to Remove All the Protection Rules for the sce-url-database
How to View the Current sce-url-database Protection Settings
Guidelines for Managing the sce-url-database
The sce-url-database Import File
How to Import a sce-url-database File
How to Add an Entry to the sce-url-database
How to View the sce-url-database
How to Look for a Specific URL in the sce-url-database
How to Clear the sce-url-database
How to Enable Deep HTTP Inspection
How to Enable URL Normalization
How to Disable URL Normalization
How to Reset URL Normalization to the Default State
How to Display the Currently URL Normalization Configuration
Managing URL Blacklists Using the Cisco Service Control Engine Platform
Configuring User Authorization
Protected URL Database Configuration Example
Obtaining Documentation and Submitting a Service Request
The Cisco Service Control Engine (Cisco SCE) platform-managed URL database resides on the Cisco SCE platform. The URL database, sce-url-database, is managed by using CLI commands rather than the Cisco Service Control Application for Broadband (Cisco SCA BB) Console. In addition to the advantage of having a separate URL database that is configurable directly by CLI commands, this database can be used to hide a list of URLs to prevent them from being accessed by the Console or the CLI.
The URL database must be declared as a separate flavor in the Cisco SCA BB application, but all the other configuration and management tasks are performed using the CLI.
The URL database can be protected. As part of protecting the sce-url-database, one user is designated as the owner of the database and only that user can execute the CLI commands on the database. Protection involves defining the authentication, authorization, and accounting (AAA) method (either based on local users or on a TACACS+ server, and so forth) and defining at least one user to be the owner of the database. For further details about the configuration, see the “Configuring the Management Interface and Security” chapter of the Cisco SCE 10000 Software Configuration Guide.
After the database is configured to be protected, no database information, (including information about the owner, database entries, authorization information, and the relevant saved configuration in the log files and in the relevant Cisco SCA BB reports, is accessible to any user. The database owner can change the authorizations by using the CLI. However, when any of the protection rules are relaxed (or all of the protection rules are relaxed by removing them) the database is reset automatically.
To protect the secrecy of the database information, the database entries can be imported to Cisco SCE (by using the CLI) in an encrypted form with the 128-bit key length Advanced Encryption Standard (AES). The key can be set or updated by using the appropriate CLI command; typically, this command should be run over a secure Telnet session.
There are two general categories of CLI commands related to the Cisco SCE-managed URL database:
The sce-url-database can be managed by a single authorized user, who is the designated owner of this database.
– Read permission—no-user. This setting is not configurable.
– Write permission—owner-only. The owner can configure this setting to all the users.
– Lookup permission—no-user. The owner can configure this setting only to the owner.
– Encryption key—no-key. The owner can configure an encryption key.
These are some of the guidelines for user authorization:
– Protection can be removed completely by using the no sce-url-database protection command.
– Write permission can be changed from owner-only to all-users.
– Lookup permission can be changed from no-user to owner-only.
– Protected information is not displayed when a show or more command is executed on the config files.
– Protected information is displayed when a copy command is executed on the config files.
To specify a new owner for the sce-url-database, use the following command in the interface linecard configuration mode (config if):
sce-url-database protection owner (myself | (name user-name ))
The authorization level required by a user to perform this task is Admin.
If an owneris already assigned to the sce-url-database, that owner must first remove the owner designation using the no sce-url-database protection command, which removes all database protection (see the “How to Remove All the Protection Rules for the sce-url-database” section).
The following options are available to specify a new owner in the sce-url-database:
The following are the results available after specifying a new owner in the sec-url-database:
To configure write protection for the sce-url-database, use the following command in the interface linecard configuration mode (config if):
sce-url-database protection allow-write (all-users | owner-only)
This command can be executed only by the assigned owner of the sce-url-database. The authorization level required by a user to perform this task is Admin.
A person should already be assigned as the owner of the sce-url-database.
The following options are available to configure write protection in the sce-url-database:
The following are the default settings available while configuring write protection in the sce-url-database:
If protections are relaxed (changed from owner-only to all-users), the sce-url-database is reset automatically.
To configure lookup-protection for the sce-url database, use the following command in the interface linecard configuration mode (config if):
sce-url-database protection allow-lookup (owner-only | no-user).
This command can be executed only by the assigned owner of the sce-url-database. The authorization level required by a user to perform this task is Admin.
An owner should already be assigned to the sce-url-database.
The following options are available to configure lookup protection in the sce-url-database:
The following are the default settings available while configuring lookup protection in the sce-url-database:
If protections are relaxed (changed from no-user to owner-only), the sce-url-database is reset automatically.
To configure the sce-url-database encryption key, use the following command in the interface linecard configuration mode (config if):
sce-url-database protection encryption-key encryption-key
This command can be executed only by the assigned owner of the sce-url-database.The authorization level required by a user to perform this task is Admin.
An owner should already be assigned to the sce-url-database.
encryption-key —AES encryption key (128-bits long). The key is supplied in hexadecimal format and contains 32, 48, or 64 hexadecimal digits.
No encryption key is configured.
To remove the encryption key, use the no sce-url-database protection encryption-key command.
This command does not change any other sce-url-database protection settings.
Note When you change the encryption key of the sce-url-database, this message appears on the CLI: Due to changes in security settings existing protection database is being removed.
To remove all the protection rules for the sce-url-database, use the following command in the interface linecard configuration mode (config if):
no sce-url-database protection
This command can be executed only by the assigned owner of the sce-url-database.The authorization level required by a user to perform this task is Admin.
An owner should already be assigned to the sce-url-database.
The following are the results for removing all the protection rules in the sec-url-database:
To view the current sce-url-database protection settings, use the use the following command in User EXEC (>) mode:
show interface linecard 0 sce-url-database protection.
The authorization level required by a user to perform this task is Viewer.
The following information is displayed when the show interface linecard 0 sce-url-database protection command is run:
The designated owner of the sce-url-database can do perform the following tasks:
If write protection is set to all-users, all the users can perform the following tasks:
If there is no designated owner (and therefore, no protection), all the users can view the entire sce-url-database.
If there is a designated owner, the contents of the sce-url-database are protected and cannot be displayed.
The guidelines for managing the sce-url-database include:
The maximum number of entries permitted in an import file are:
The database import file either contains cleartext or is encrypted. If the file is encrypted, the matching encryption key must be configured by the database owner.
If the file is encrypted, it must be prefixed with a cleartext header. The encrypted file header must be as follows:
After the header, the following data appears in the encrypted format in the AES 128, CFB mode:
The import file format of the sce-url-database is:
Table 1 lists some URL examples.
See the “The sce-url-database Import File” section for information about the sce-url-database import file format.
To import the sce-url-database files, use the following command in the interface linecard configuration mode (config if):
sce-url-database import cleartext-file | encrypted-file file-name flavor-id flavor-id
If the import file does not contain a flavor, specify the flavor in the CLI. The specified flavor must be the same as the one that was designated for the blacklist in the PQB file that was applied. Otherwise the import operation fails.
If the import file contains a flavor, do not specify the flavor in the CLI.
The authorization level required by a user to perform this task is Admin.
The user executing the command must have write permission to the sce-url-database.
The following options are available to import a sce-url-database file:
The sce-url-database is empty.
The following are the results after importing a sce-url-database file:
The total number of failures and a listing of the failed file line numbers are reported after the import action is completed.
To add an entry to the sce-url-database, use the following command in the interface linecard configuration mode (config if):
sce-url-database add-entry url-wildcard URL-wildcard-format flavor-id flavor-id
The authorization level required by a user to perform this task is Admin.
The user who is executing the command must have write permission to the sce-url-database.
The following options are available to add an entry to the sce-url database:
URL: (* | [*] [Host-Suffix] | [*] [Host-Suffix] / [URL-Prefix [*]] [URL suffix] [? Params-prefix])
See Table 1 for examples on how to define URLs.
To view the sce-url-database, use the following command in the Privileged EXEC (#) mode:
show interface linecard 0 sce-url-database all-entries
The authorization level required by a user to perform this task is Admin.
All protection must be removed from the sce-url-database and there should be no assigned owner. If an assigned owner exists, the database becomes protected and cannot be displayed.
To look for a specific URL in the sce-url-database, use the following command in the Privileged EXEC (#) mode:
show interface linecard 0 sce-url-database url url
The authorization level required by a user to perform this task is Admin.
The user who is executing the command must have lookup permission in the sce-url-database.
url —Specific URL to look up in the sce-url-database.
The following are the results when the user tries to look for a specific URL in the sce-url-database file:
To clear the sce-url-database, use the following command in the interface linecard configuration mode (config if):
The authorization level required by a user to perform this task is Admin.
The user executing the command must have write permission in the sce-url-database.
The HTTP flows may contain multiple transactions. Typically, each such inner URL should be verified against the protected URL database, not just the initial one. However, because this has a deep impact on performance HTTP inspection is disabled by default.
You can enable the deep HTTP inspection option from the Cisco SCA BB Console. The actual configuration relates to the number of HTTP transactions that are examined per HTTP flow (number of HTTP GET detections). By default, only the first transaction is examined; you can define this to be any number of transactions between 1 and 65535.
Note We recommend that you monitor the performance of the Cisco SCE platform when deep HTTP inspection is enabled, because enabling this functionality may result in performance degradation.
Step 1 In the SCA BB Console Service Configuration Editor, choose
Configuration > System Settings > Advanced Options tab > Advanced Service Configuration Options.
Figure 1 Advanced Service Configuration Options Window
Step 2 In the Advance Services Configuration Options window that is displayed (Figure 1), in the Number of HTTP GET detections field, enter the number of HTTP transactions to examine the per HTTP flow. The valid value ranges from 1 to 65535.
URL normalization is a procedure that brings URL flavors having the same meaning into a canonical presentation, which minimizes the number of false-negative lookup results and may significantly improve the efficiency of the protected blacklisting operation.
URL normalization involves the following:
By default, these normalization operations are disabled, but when enabling URL normalization, both of them come into effect for the protected blacklist.
You must first enable URL normalization and then import the blacklist entries so that they are affected accordingly.
Use the URL normalization commands to:
URL normalization should be configured before service configuration (PQB file) is applied to the Cisco SCE platform and before the sce-url-database is loaded.
To enable the URL normalization, use the following command in the interface linecard configuration mode (config if):
The authorization level required by a user to perform this task is Root.
To disable the URL normalization, use the following command in the interface linecard configuration mode (config if):
The authorization level required by a user to perform this task is Root.
To reset the URL normalization to the default state, use the following command in the interface linecard configuration mode (config if):
By default, the URL normalization is disabled. The authorization level required by a user to perform this task is Root.
The following example shows how to configure the protected URL database, including defining the flavors in the Cisco SCA BB Console, configuring the protections in the Cisco SCE platform, and importing a URL file.
Step 1 Enable URL normalization as shown here:
Step 2 In the Flavor Settings window, right-click HTTP URL and choose New > HTTP URL Flavor (see Figure 2 ).
Figure 2 Flavor Settings—Flavors Editing Dialog Box
Step 3 Enter a Name and Index, as required (see Figure 3).The Index number is the flavor ID that is required by a number of CLI commands.
Figure 3 Flavor Settings—Flavors Editing Dialog Box with Name and Index Information
Step 5 Define a service that will use the new flavor.
Step 6 Specify the number of HTTP GET detections.
Figure 4 Advanced Service Configuration Options Window
Step 7 In the Service Configuration Editor window, choose Configuration > System Settings > Advanced Options tab > Advanced Service Configuration Options.The Advanced Service Configuration Options window opens (see Figure 4).
Step 8 In the Advance Services Configuration Options window, in the Number of HTTP GET detections field, enter the number of HTTP transactions to examine per HTTP flow (1 to 65535).
Step 9 Apply the service configuration to the Cisco SCE.
Step 10 Define the Cisco SCE to require user login and define the special owner user using the username BlacklistOwner privilege 10 password pass command as shown in the following example:
Step 11 Log in as the owner using the following information:
Step 12 Configure the owner of the sce-url-database using the sce-url-database protection owner. command, as shown in the following example:
Step 13 (Optional) Allow all the users to update the database using the sce-url-database protection allow-write all-users c ommand, as shown in the following example:
Step 14 (Optional) Provide the owner with the necessary permission to perform the lookup action on the database using the sce-url-database protection allow-lookup owner-only c ommand, as shown in the following example:
Step 15 Define an encryption key to be used when importing an encrypted URLs file using the sce-url-database protection encryption-key command, as shown in the following example :
This should be done periodically over a secure Telnet session.
Step 16 Import an encrypted file containing the required URLs for the relevant flavor ID using the sce-url-database import encrypted-file urls.csv flavor-id command, as shown in the following example :
Step 17 Save the configuration using the copy running-config-all startup-config-all command, as show in the following example:
Step 18 Log out to prevent unauthorized users from manipulating the protected database using the logout command, as shown in the following example:
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.