Thursday, 22 November 2012

SRX UTM - Content Filtering

The content filtering UTM module can block specific content on SMTP, POP3, IMAP, HTTP and FTP protocols based on MIME type, file extension or protocol commands. In this post content filtering will be configured. This post builds on UTM knowledge discussed in the UTM Overview Post, please feel free to reference this post first. The diagram below outlines the basic lab setup for this exercise.


Configure Content Filtering
1. Create Custom Objects
Content filtering supports three custom object types protocol-command, filename-extension and mime-pattern. For protocol-commands the FTP command of 'user' was configured under the protocol-command list of 'PROTO-BLOCK'. For filename-extensions the extension of '.exe' was configured under the filename-extension list of 'EXTENSION-BLOCK'. For mime-patterns the pattern of 'video/quicktime' was configured under the mime-pattern list of 'MIME-BLOCK'. The screenshot below outlines these commands.

2. Configure Feature Profile
The previously created custom object lists can be specified in feature profile for content filtering. Some objects can be configured to be blocked directly in the feature profile without referencing a custom object list (active x, exe, http cookies, java-applets and zip). This example did not use any of these options, we simply referenced the custom object lists created in step#1. Also a custom-message was defined to prompt users that the content was blocked. The screenshot below outlines the commands.

3. Configure UTM Policy
This step is slightly more involved than in the post on web filtering. You will notice that profiles are specified for all UTM protocols. This is because the content filtering module supports all UTM protocols, where as the web filtering only supports HTTP. If content filtering was only needed for certain protocols only the needed profiles would be specified here. If no profile is specified for a protocol under the UTM module, that protocol will not be inspected and will be permitted. The screenshot below outlines the commands used to configure a UTM policy for content filtering on all supported protocols.

4. Attach UTM Policy to Security Policy
This step is simply referencing the UTM policy on the desired security policy. In the example below the UTM policy created in step#3 is configured under the existing security policy 'OUTBOUND-INTERNET-ACCESS'



Verify Content Filtering
1. Verify blocking of Protocol Command
To verify blocking of protocol commands I opened an FTP session to ftp.mozilla.net and attempted to issues to command 'user' by entering a username of anonymous. If you recall the custom object for protocol commands had the command 'user' listed and was referenced under the 'block-command' configuration statement on the content filtering feature profile. The result can be seen in the screenshot below, as expected the FTP command 'user' is blocked by the content filter.

2. Verify blocking of File Extension
To verify blocking of file extension I browsed to the wireshark.com downloads page and attempted to download the most current release of wireshark (which is an .exe file). If you recall the custom object for file extension had 'exe' listed and was referenced under the 'block-extension' configuration statement on the content filtering feature profile. The result can be seen in the screenshot below, as expected the .exe file download is blocked by the content filter.
(keep in mind this same example could have been done a different way by specifying 'block-content-type exe' under the feature profile)


3. Verify blocking of MIME Pattern
To verify blocking of MIME pattern I browsed to the trailer.apple.com site and attempted to watch a preview of a movie (which is in quicktime format). If you recall the custom object for mime-pattern had 'video/quicktime' listed and was referenced under the 'block-mime list' configuration statement on the content filtering feature profile. The result is not as clear in the screenshot below, but the video did not load.

4. Verify Content Filtering Statistics from CLI
The command 'show security utm content-filtering statistics' can be used to see counts on content filtering block types.

5. View Content Filtering Logs from CLI
First a syslog file has to be created with a match statement. The match statement to use for content filtering is 'CONTENT_FILTERING'. The screenshot below outlines the commands to create this log file.

The command 'show log {log-file name}' can be used to view the log file. The screenshot below demonstrates this. Log events for the three tests performed above are in the log file. The events give the source IP, the protocol and the reason the content was blocked.



Conclusion
The next post will focus on UTM Anti-spam Module.


No comments:

Post a Comment