CacheGuard-OS
User's Guide - Version UF-2.3.4

URL Guarding

The URL guarding (or filtering) allows you to have control over the Web browsing in your organisation. You can activate the URL guarding by using the mode guard on command. This feature is based on blacklists (denied) or white lists (allowed) of domain names and URLs that you can manage using the urllist command. You have also the possibility to use regular expressions in addition to URL lists. In this way, you have the possibility to give access to only allowed websites in your white lists or block access attempts to URLs appearing in your blacklists. The guard command allows you to configure the URL guarding by creating filters, policies and rules. A URL guard rule denies access to a set of blacklists or allows access to a set of white lists according to filters associated to a policy. Each rule is associated to one and one policy identified by a unique name. A policy can be associated to one or more filters. Finally a filter can specify a source IP address, an LDAP request or a time specification. A policy named default allows you to define a default rule to apply to all Web clients for which no other policies are matched. In the example below, a default rule is created to block access to Advertising and Malware websites for all Web clients:

• mode guard on
• urllist add Advertising
• urllist add Malware
• urllist load create Advertising tftp 172.18.2.1 Advertising domains urls
• urllist load create Malware tftp 172.18.2.1 Malware domains urls
• guard rule add default deny Advertising Malware
• apply

In the example above, two URL list categories named Advertising and Malware are created first and then populated with list of domain names and URLs in files located on a remote TFTP file server having the 172.18.2.1 IP address. Please note that prior to be able to exchange files with a (TFTP, FTP or SFTP) file server, the file server should be declared as trusted. You can refer to the access file command to learn how to add a file server to the list of trusted file servers. The sixth argument in the urllist load... command usage form specify the base name (Advertising or Malware) of files that should be located on the specified file server and the urllist command expects to find files with the .domains.gz and .urls.gz extensions. As you can guess, URL list files should be in gzip compressed format (loading uncompressed URL list files is not supported).

Domain name files (.domains.gz) should contain a list of domain base names (one per line). A domain base name is a domain name without any prefix. For instance example.com is considered as domain base name while www.example.com is not. To specify a domain name with a prefix, you should put in a URL file (.urls.gz). URL files (.urls.gz) should contain a list of content specification (one per line) similar to a URL without the protocol part in the form <domain-name>/<path> where the <domain-name> is a fully qualified domain name and the <path> is a path specification. For instance, www.example.com/foo/bar/zoo.html is a valid URL in this context while http://www.example.com:81/foo/bar/zoo.html?id=1 is not.

URL Lists

The URL guarding is mainly based on URL lists that you should keep updated (as every day, thousands of new websites are published on the Web). Daily updated URL lists are offered as an optional service by CacheGuard Technologies Ltd that you can easily subscribe to. However, you have the possibility to use your own URL lists and keep them automatically updated on your CacheGuard appliance. To update a URL list, you have the possibility to create it from scratch by loading its full content from URL list file or just load a difference file (preferred method). For instance, to automatically update the URL list named WebMail from ftp://172.18.2.1/DF/WebMail on a daily basis, you can use the following command:

• password file add ftp 172.18.2.1 john
• urllist auto WebMail on load update daily ftp 172.18.2.1 DF/WebMail
• apply

Difference URL list files should respect a syntax explained in the urllist command manual. Please refer that manual for further information.

Policies & Filters

Guard policies allow you to apply the URL guarding to a specific group of Web clients matching certain criteria. For instance, you may want to block Advertising websites for users in the 10.0.10.0 255.255.255.0 network that belong to the cn=support,ou=groups,dc=example,dc=comLDAP group between 12:30 and 13:30 (1:30 PM) hours. To that end, you should first create 3 guard filters and then associate them to a policy and finally create a guard rule based on that guard policy. The following commands allow you to define such a guarding policy:

• guard filter ip add london network 10.0.10.0 255.255.255.0
• guard filter time add lunchHours slot 12:30-13:30
• guard filter ldap add supportTeam 'cn=support,ou=groups,dc=example,dc=com' memberUid 'objectclass=posixGroup'
• guard policy add londonSupport ip london time lunchHours ldap supportTeam
• guard rule add londonSupport deny Advertising
• apply

Please note that LDAP filters can only be used when the Web authentication mode is activated. Please refer to the Web Authentication section and the authenticate command manual for further information on LDAP authentication. LDAP filter Note: in the example above, the memberUid specifies the LDAP attribute used to store the login name provided by users during the authentication. The objectclass=posixGroup is the request to retrieve the user on the LDAP server.