Solved

Capturing https traffic cisco ios router 2911 for URL filtering

Posted on 2013-06-20
7
2,053 Views
Last Modified: 2013-06-25
Hi there
Running Cisco 2911 ios version 'ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)' I have websense url filtering server.  I have offered these commands on the cisco router (as under).  My websense is capturing only HTTP traffic and not the HTTPS traffic, I have seen the traffic on wireshark on the websense server, no sign of https traffic only http.
Which command am I missing so that I can send the https traffic to websense server for url filtering?
ip inspect name TRAFFIC_INSPECTI https
ip inspect name TRAFFIC_INSPECTI telnet
ip inspect name TRAFFIC_INSPECTI sip
ip inspect name TRAFFIC_INSPECTI skinny
ip inspect name TRAFFIC_INSPECTI smtp
ip inspect name TRAFFIC_INSPECTI rtsp
ip inspect name TRAFFIC_INSPECTI tcp
ip inspect name TRAFFIC_INSPECTI udp
ip inspect name TRAFFIC_INSPECTI icmp
ip inspect name TRAFFIC_INSPECTI http java-list 21 urlfilter
ip urlfilter allow-mode on
ip urlfilter urlf-server-log
ip urlfilter server vendor websense 10.10.10.133 retrans 6 timeout 8
ip ips notify SDEE
I have followed this article but it only states for http and not https:
http://www.websense.com/content/support/library/web/v75/wws_cisco_supp/cisco_ios_router_startup_config.aspx#1047473
0
Comment
Question by:amanzoor
7 Comments
 
LVL 17

Accepted Solution

by:
surbabu140977 earned 300 total points
Comment Utility
In cisco, I think only the http traffic can be inspected, not the https.

The protocols supported in cisco are -- cuseeme/ftp/h323/http/rcmd/realaudio/rpc/smtp/sqlnet/streamworks/tcp/tftp/udp/vdolive/imap/pop3 and a few others but definitely not https.

If something drastically changed in 15.1 (doesn't look like), my apology then.

In the following cisco link ( Table 3 Protocol Keywords--Application-Layer Protocols table) you can check/verify.

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i2.html#wp2665953023

Best,
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 100 total points
Comment Utility
Https traffic is encrypted, which includes the URL. You can't inspect it unless you have a device which can proxy the SSL connection and act as a man in the middle.
0
 
LVL 4

Author Comment

by:amanzoor
Comment Utility
Hi Guys,
This is my new websense Triton server (VM).  On my old websense physical box I had port monitoring enabled on my switch and I was able to see all traffic (http+https) on the websense server.  So I could say the https traffic is there but the websense triton (VM) is unable to see it unless I physically map its card to the port monitoring switch?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 17

Expert Comment

by:surbabu140977
Comment Utility
If you are doing that then may be "yes", But you cannot divert/inspect https from cisco devices using ios commands. The ios will not be able to understand https.

If you are spanning/mirroring a switch port, using websense you can sniff https.

Best,
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
Comment Utility
Did you apply the filter to the internal lan interface? And did you create an inspect rule that points to the url filter rule

ip inspect name URLFILTER http urlfilter

At the interface:
 ip inspect URLFILTER in
0
 
LVL 4

Author Comment

by:amanzoor
Comment Utility
irmoore:
I have tried applying the filter to the lan interface, it makes no change:
int_gig 0/0> ip inspect name TRAFFIC_INSPECTI out/in   (no change on the websense server it only sees the http traffic.  
with this my global command is:
ip inspect name TRAFFIC_INSPECTI http java-list 21 urlfilter
Websense server only sees http traffic.
0
 
LVL 4

Author Closing Comment

by:amanzoor
Comment Utility
Thanks guys, Good to know that my router 2911 cannot divert the https traffic only ASA and above can do it.  Now I have to run a long cable from my datacenter to the physical websense to work.  Also if I had the license for VDS feature in VMware I could have used it to map the port span on my brocade switch to sniff http/https traffic.
Regards
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now