FortiGate Multi-Threat Security Systems I Module 9: Web Filtering 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams 1 or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D
Module Objectives By the end of this module participants will be able to:» Identify the web filtering mechanisms used on the FortiGate device» Create web content and URL filters» Configure FortiGuard Web Filtering» Configure FortiGuard Web Filtering exemptions and rating overrides» Define firewall policies using web filter profiles» Explain the differences between various web filter modes 2
Web Filtering Means of controlling the web content that a user is able to view» Preserve employee productivity» Prevent network congestion where valuable bandwidth is used for non-business purposes» Prevent loss or exposure of confidential information» Decrease exposure to web-based threats» Limit legal liability when employees access or download inappropriate or offensive material» Prevent copyright infringement caused by employees downloading or distributing copyrighted materials» Prevent children from viewing inappropriate material 3
Proxy-Based Web Filtering Proxy based solution that communicates between client and server Inspects full URL Allows for customizable block pages to display when sites are prevented Most resource intensive option Lowest throughput Has the Most options available in Advanced section 4
Proxy-Based Web Filtering Select inspection mode in web filter profile 5
Flow-Based Web Filtering Non-proxy solution that uses IPS engine to perform inspection High throughput Inspects full URL FortiGuard Web Filtering override will not apply when flow-based inspection is enabled Only a few Advanced options available Not as flexible as proxy-based» Allow, Monitor, Block ONLY» Warn and Authenticate not possible» Overrides not possible 6
Flow-Based Web Filtering Select inspection mode in web filter profile 7
DNS-Based Web Filtering DNS-proxy solution that uses DNS queries to decide access DNS queries redirected to FortiGuard SDNS server Very lightweight SSL inspection never required Cannot inspect URL, only hostname (DNS) Supports URL Filtering and FortiGuard Category only No individual block pages, can redirect to a portal Web site access by IP means no DNS lookup 8
DNS-Based Web Filtering Select inspection mode in web filter profile 9
When Does Filtering Activate? www.acme.com DNS Request! TCP 3-Way Handshake DNS Response HTTP GET! HTTP 200 10
HTTP Inspection Order EXEMPT (from ALL further inspection) Block Page URL Exempt Web URL Filter Allow Block FortiGuard Filter Block Allow Block Page Block Page Block Advanced Filter Allow Content Filter Allow Block Block Page Block Virus Scan Allow Display Page Block Page 11
Types of Web Filtering Proxy-Based» Highly secure» Traffic is cached Flow-Based» High throughput» No caching» Not as secure DNS-Based» Very lightweight» Hostname filtering only» No advanced options, URL and FortiGuard only 12
Web Content Filtering Allow or block web pages containing specific words or patterns» Wildcards or regular expressions used to define patterns Scores for matched patterns are added» If greater than threshold, FortiGate unit performs configured action» If pattern appears multiple times on web page, score is only counted once www.acme.com Create Pattern list in the CLI Drugs Score=10 Pharmacy Score=5 Prescription Score=5 Threshold=18 10 +5 +5 =20 Block or Exempt 13
Web URL Filtering Control web access by allowing or blocking URLs» Text, wildcards or regular expressions can be used to define the URL patterns» If no URL match on list, go on to next enabled check Possible web URL filter actions are:» Allow» Block» Monitor» Exempt 14
Web URL Filtering URL: www.mypage.com/index.html URL Filter list www.example.com www.abc.com www.mypage.com/index.html Block Allow Monitor Exempt www.mypage.com 15
Forcing Safe Search Safe Search is used by search sites to prevent explicit web sites and images from appearing in search results FortiGate unit rewrites the search URL to include the required codes to enable Safe Search» Supported for Google, Bing, Yahoo! And Yandex» Does NOT force strict safe search Youtube EDU available» Instructions for Youtube will include value to enter on FortiGate unit 16
FortiGuard Category Filter URL: www.mypage.com Categories Allow Block Monitor Warning Authenticate www.mypage.com 17
FortiGuard Category Filter The FortiGate unit accesses the FortiGuard Distribution Server to determine the category of a requested page» Action is taken based on selection in web filtering profile Web filter rating determined by:» Human rater» Text analysis» Exploitation of web structure Description of Categories can be found on FortiGuard website http://www.fortiguard.com/static/webfiltering.html 18
FortiGuard Category Filter Split into multiple categories and sub-categories Layout will switch periodically as the Internet changes New categories and sub-categories are released and compatible with updated firmware» Older firmware has new values mapped to existing categories 19
FortiGuard Caching Most web sites are visited over and over again» FortiGate unit can remember what the response was Caching improves performance by reducing FortiGate unit requests to FortiGuard servers» Cache checked before sending request to FortiGuard server» TTL settings controls the number of seconds query results are cached Small amount of FortiGate unit system memory dedicated to the cache» Default is 2% used for cache, can be increased to 15% from CLI Port 53 used for FortiGuard communications» Alternate port number of 8888 can used KB Article IDs: 11779, FD32121, FD30088 20
FortiGuard Usage Quotas Games Quota Category: Games Games Quota Games Quota Quotas allow access to specific categories for a specific length of time (calculated separately for each quota configured) If authentication is enabled, quota is automatically based on the user, otherwise IP is used Can only apply to categories with actions: Monitor, Warn or Authenticate 21
Rating Submissions Requests for rating of a web site, or to have a web site s rating re-evaluated can be submitted by accessing:» http://www.fortiguard.com/ip_rep.php 22
Rating Override Rating override Category: General Organizations www.acme.com Sub-Category: Information and Computer Security 23
Rating Override Can override the rating applied to a hostname by FortiGuard Subscription Services» Hostname reassigned to a completely different category and uses that action Override applies to FortiGate unit only» Changes not submitted to FortiGuard Subscription Services Hostnames only» google.com» www.google.com» www.google.com/index.html 24
Local Categories Rename and deletion of sub-categories only in CLI config webfilter ftgd-local-cat delete <cat_name> rename <cat_name> to <cat_name> 25
Warning Action Action = Warning (right click in the GUI) Web Filtering Warning Page 26
Authenticate Action Marketing www.hackthissite.org 27
Web Filter Profiles Web filtering, FortiGuard web filtering and Advanced Filter options enabled through web filtering profiles Profile in turn applied to firewall policy» Any traffic being examined by the policy will have the web filtering operations applied to it 28
Labs Lab 1: Web Filtering» Ex 1: FortiGuard Web Filtering 29
30 Classroom Lab Topology