PIX and Websense URL filtering issue
Posted on 2006-11-22
First the network overview...
[Site A 2800]-----( )
( )-----[2800 Outside]--------+
[Site B 2800]-----( ) |
( ISP )---[3800 WAN]----[PIX-525v7.0]-----[Inside]
[Site C 2800]-----( CLOUD ) |
( ) [DMZ]---------[ISA2004]
We have 3 remote sites and a number for dial in users. Each remote site is equipped with a 2800 series Cisco router, which is connected to our ISPs frame-relay cloud. As for the dial in users, they have been given a universal access number to dial which connects them to our ISP. We, at the Head Office, are also hooked up to the ISPs frame-relay cloud using a 3800 series Cisco router. There are total of 4 point-to-point links, linking to the remote sites and for the dial in users to come in. The remote sites communicate with the HO router via an IPSec tunnel that terminates on the 3800’s outside interface. The dial in users use the Cisco VPN client and establish a VPN that terminates on the PIX’s WAN interface.
We employ Websense to filter all HTTP traffic on our network. The PIX intercepts HTTP traffic originating from the INSIDE to the DMZ and DMZ to OUTSIDE. However the PIX does not intercept HTTP traffic originating from the remote sites or the dial in users coming in from the WAN interface.
All nodes are configured to use the ISA server located in the DMZ as a HTTP proxy on port 8080. Nodes in the DMZ and INSIDE are subjected to the URL filtering and are properly forwarded to the ISA server which then forwards HTTP requests outside. Nodes behind the WAN interface appear to be skipping the HTTP inspection and effectively bypassing the Websense URL filtering. Their requests are forwarded to the ISA server and onwards to outside.
Our experiments have shown that HTTP request that originate from a high security level interface destined for a lower security level will trigger the URL filtering. But a HTTP request that originates on a lower security level interface destined for a higher security level interface will skip the URL filtering. If we configure the nodes at the remote sites to use an external proxy server, such as the one provided by our ISP, and configure the PIX to NAT the internal IPs to public ones, the URL filtering kicks in.
We suspect that the issue lies somewhere with interface security levels and URL filtering. Security levels of the PIX’s interface are as follows:
So before I go messing with security levels, I wanted to get a 2nd opinion on this issue… so fire away!