Post on 03-Dec-2015
description
March 2003 ACLs 2
ObjectivesWhen you have completed this module
you will be able to do the following:• Recall regular expression syntax rules• Describe ACL building blocks• Set restrictions• Control access and requests
March 2003 ACLs 3
Access Control List (ACL) Overview• Rules for controlling access to the NetCache• NetCache is permissive by default (ACLs off)• Use ACLs to:
– Control client requests for access to protocols – Control user and group access to the Internet – Impose restrictions inside the intranet domain
• Types– User and Group– Global access control– Request-type access control– SmartFilter and WebWasher modifiers
Access Control List Overview ACLs are methods for controlling access to the NetCache Appliance by creating sets of rules, or access control lists (ACLs). NetCache is permissive by default; that is, ACLs are not enabled and no requests are denied. Access control settings prevent unauthorized clients from accessing the services of a NetCache Appliance and restrict the access of authorized clients. Sets of rules, or access control lists (ACLs), are used to control individual and group access to the Internet, and to impose restrictions inside the intranet domain.
ACLs govern client requests for access to web content and supported protocols, such as HTTP, FTP, Gopher, and Tunnel.
Individual and group access ACLs can be applied explicitly to authorized users, but they are also effective for administering access control to individuals as part of a group.
March 2003 ACLs 4
Global Access Control The Global Access Control option allows you to set rules to allow or deny access to web objects or domains by specifying URLs or servers to which you want to restrict access. Global access control settings are processed for every request sent to the NetCache Appliance. NetCache follows Global rules, regardless of any content category restrictions set in the SmartFilter options.
For example to deny access to a specific URL, use the following entry:
deny url "http://www.objectionable.com"
Request-Type Access Control The Request-Type Access Control option allows you to set rules that allow or deny access to particular types of requests, such as FTP. Generally, Request-Type settings are protocol-specific. NetCache follows Request-Type rules, regardless of any rules configured in the Global Access Control option and any content category restrictions set in the SmartFilter options.
For example to deny FTP requests between 9 a.m. and 5 p.m., specify the following entry:
deny time 9am - 5pm
Smartfilter Modifiers Allows you to control access toWeb sites, for example, Web sites that contain objectionable content.
Access Control - WebWasher DynaBLocator DynaBLocator blocks access to Internet content in prohibited categories. When you select a category or subcategory, all requests for content in that category or subcategory are blocked.
Access Control Options The Access control options settings allow you to specify a NetCache default action when no rule matches occur.
March 2003 ACLs 5
Access Control Lists• Simple language• Access controls applied to groups• Examples:
– Authenticate Internet requestsauth not server-name www.mycorp.com
– No gambling during business hoursdeny smartfilter gambling and time 9am - 5pm
– Only the executive staff can gamblere-auth smartfilter gambling and not group execs
ACL building blocks ACLs contain sets of rules that control client access to intranet and internet services. These rules, or ACL entries, allow or deny requests based on a number of variables, such as request headers and client IP addresses. ACLs are associated with specific users, groups of users, and types of requests, such as HTTP.
March 2003 ACLs 6
Access Control Actions
• allow• deny• redirect <url>• rewrite• rewrite-redirect• auth
• re-auth• try-auth• proxy• set bitrate
<bitrate-range>• cache• no-cache
ACL Actions ACL actions determine the type of control implemented.
Refer to Chapter 1, “Access Control” in the NetCache 5.4 Security Guide for specific information regarding access control actions.
March 2003 ACLs 7
Action Expression Syntaxallow client-ip 128.126.10.0/24
Allow access to the specified clients
auth FTPRequire authentication for all FTP requests
allow time 9am - 5pmAllow access between 9am and 5pm
deny FTPDeny all FTP requests
Action Expression Syntax ACL Effect
allow client-ip 128.126.10.0/24 Allows access to everyone on the 12.8.126.10.0 subnet
auth FTP Requires authentication for all FTP requests
deny server-name matches “.*\.net” Denies access to the .net domain
allow time 9am - 5pm Allows access between 9 a.m. and 5 p.m.
deny FTP Denies all FTP requests
March 2003 ACLs 8
ACL Rule Checking1. Check protocol authentication settings 2. Check ACL permission settings for the applicable
group in the NetCache user database 3. Check the request-type (protocol specific) ACL 4. Check Web accelerator ACL 5. Check global ACL 6. Verify whether WebWasher denies the request 7. Verify whether SmartFilter denies the request 8. Check group protocol permissions settings 9. Allow the request
ACL Rule Checking
March 2003 ACLs 9
Controlling Access to Web Objects
• Control access to URLs– block URLs– redirect requests
• Control access to the proxy– client IP address– network or subnet address
March 2003 ACLs 11
Controlling Web Accessdeny url “http://www.corp.com”
Denies access to a specific URL.
deny server-ip 10.10.10.11Denies access to a specific server
deny server-name matches “www.bad.com”Denies access to a specific server
allow group “finance” and server-name www.bad.comAllows requests from the finance group to access bad.com
March 2003 ACLs 12
Controlling Client Accessallow client-ip 192.168.1.4
Allows a specific client access to NetCache servicesdeny client-ip 128.148.37
Denies a specific client subnet access to NetCache servicesdeny client-domain corp.com
Denies a specific client domain access to NetCache servicesallow time 9am - 5pm
Allows access to NetCache services from 9 a.m. to 5 p.m.deny group finance
Denies requests to access NetCache services from members of the finance group
March 2003 ACLs 13
Redirect RuleGrammar
rule destination source
Exampleredirect “http://www.mycorp.com/restricted.html”
server-ip 128.125.51.1Effect
When requested to go to server at 128.125.51.1 it will go to www.mycorp.com/restricted.html instead
Redirecting requests A redirect action immediately redirects the request back to the client, causing the client’s browser to attempt to fetch the new URL, usually through the cache. You can redirect NetCache-generated “access denied” messages to a URL explaining why the access was denied with instructions about how the user can resolve the problem.
Example: To redirect requests from server subnet 128.125.51.1 to an internal web page, use the Access Control Options on the Access Settings page of the NetCache Manager utility to specify the following rule:
redirect “http://www.mycorp.com/restricted.html”
server-ip 128.125.51.1
Because redirect causes the client to issue a new request to the cache, a redirection loop might occur. To avoid a redirection loop, use rewrite or use the Global Access Control option on the Access Control Settings page of the NetCache Manager utility to explicitly allow the redirection URL. For example,
allow url “http://www.mycorp.com/gambling.html”
March 2003 ACLs 14
Rewrite RuleGrammar
rule destination source
Examplerewrite “http://www.safe.com/restrict.html” url-
prefix http://www.block.com
EffectReplace the http contents of www.block.com with the contents of www.safe.com without maintaining links
Rewriting requests A rewrite will internally rewrite a URL, causing NetCache to fetch a different object and return it to the client, if the request is allowed. You can also rewrite requests for restricted objects to other URLs by creating a pattern-matching expression or rule that represents the URL to which requests are directed.
Example: To rewrite requests for block.com to safe.com use the Access Control Options on the Access Settings page of the NetCache Manager utility to specify the following rule:
rewrite “http://www.safe.com/restrict.html” url-prefix
http://www.block.com
Optional syntax Rewrite and redirect rules have the same action expression syntax. Optionally, the action can be followed by a URL that is the redirection target. The URL must be included in double quotation marks. For example,
redirect “http://mycorp.com/no-gopher.html” gopher <action> “URL” <expression>
March 2003 ACLs 15
ACL Evaluation Logic
Evaluate Match?
Auth orrewrite?
Yes
Next RuleNo
Yes
No
Stop
Start
March 2003 ACLs 16
Request Type ACLs• HTTP• HTTP_Based Tunneling• Web Server Acceleration• FTP• NNTP• Streaming• Global
March 2003 ACLs 17
Req-line acl variable• Uses only the request line in http request as its
value– GET http://web.netapp.com/ HTTP/1.0
• Allowed in HTTP acl only• Alternate way to deny specific http methods
– Deny req-line contains “GET”– Deny req-line matches “^POST”
• Req_headers might give false matches as it matches the all the headers
March 2003 ACLs 18
Protocol Specific ACL Examples• HTTP
deny url "http://www.gambling.com”• HTTP-Based Tunneling ACL
deny url "http://www.games.com"• Web Server Accelerator ACL
deny not accel• FTP ACL
deny ftp• NNTP ACL
deny nntp• Streaming ACL
allow client-ip xxx.xx.xxx.40where client xxx.xx.xxx.40 requests for streams are allowed.
Protocol Specific ACLs Rules set using the protocol-specific options on this page (including streaming MMS and RTSP) are request-type rules. Request-type rules control access to requests of a particular type, or protocol. Global rule settings, also on this page, impose restrictions on all traffic but do not take precedence over request-type rules when applied.
Refer to Online Help for specific configuration information.
March 2003 ACLs 19
Example ACLsallow client-ip 206.79.5.0/24 or client-ip 206.79.6.1
Allow access to the specified client IP addressesdeny server-ip 206.79.5.61
Deny access to the specified server IP addressauth ftp
Require authentication for FTP requestsdeny group peons and time 9am - 5pm
Deny access members of the group “peons” between 9am and 5pmdeny user bob and smartfilter Gambling
Deny any gambling related site requests from bobdeny smartfilter Worthless and time 9am - 5pm
Deny all requests for access to sites catagorized my Smartfilter as worthless between 9am and 5pm
March 2003 ACLs 20
More Examplesdeny url matches “badword”
Deny access to any URL containing the specified bad worddeny url-prefix ftp://www.mycorp.com/blocked/
Deny aceess to the specified FTP URLdeny ftp
Deny all FTP requestsauth time 9am - 5pm
Require authentication for all requests between 9am and 5pmdeny not ( auth or server-name matches "mycorp.com$")
Allow access to authenticated users or all access to the specified server while denying access to everyone else
redirect "http://mycorp.com/gambling-policy.html"smartfilter GamblingSend all requests for gambling sites to the specified URL
March 2003 ACLs 21
ACL Wizards• New feature and concept in NetCache• Provide methods to easily access sets of ACLs• Each wizard:
– Scans full ACL list and returns relevant, simplified output– Takes a list of simplified input and converts this into the
ACL equivalents– If adding
• Runs ACL validation on the new ACL input• Appends new ACLs if passed, otherwise returns error
– If deleting, attempts to remove specified input
March 2003 ACLs 22
aclwiznetcache> aclwizusage:
aclwiz show {keyword}aclwiz add {keyword} {value|\\}aclwiz delete {keyword}
[value|\\]aclwiz set {keyword} {value|\\}
where {keyword} can be:filter_exception
aclwiz command In NetCache 5.4, you can use the aclwiz command as a simple way to set ACLs by using the “filter-exception” template. This template enables you to allow specific URLs in a WebWasher DynaBLocator or SmartFilter category that you have blocked. This command takes two forms of input: HTTP URLs, for example, http://www.netapp.com and any phrase used in a regex URL search.
Refer to the NetCache 5.4 Command Line Reference for additional information.
March 2003 ACLs 23
Exceptions to HTTP Filteringusing an
“Access Control List Wizard”
HTTP Filtering using ACL Wizard
March 2003 ACLs 24
Exceptions to HTTP Content Filtering
• Objective: – Customer desires an easy way to poke holes into our 3rd
party HTTP content filtering libraries – For instance, the “Investment” category may be blocked, but
administration wants to allow access to 401k websites • Solution:
– NetCache has objective functionality within the ACL infrastructure
– Unfortunately, ACL manipulations are often complicated, and a single change may have adverse effects
– Additionally, customers may have low level administrators who don’t, and shouldn’t, have the ability to modify ACL lists directly
– Therefore, “ACL wizard” functionality has been added to allow simple, directed access to our ACL infrastructure
March 2003 ACLs 25
Translations and Heuristics of the HTTP Content Filtering ACL Wizard
• Takes two forms of input: 1. HTTP URLs, eg “http://www.netapp.com”2. Any phrase, used in a regex url search
• Converts input into ACLs: 1. “allow url “http//www.netapp.com”2. “allow url contains “any-phrase”
• Always appends to end of ACL list
March 2003 ACLs 28
ACL Exercises
• Practice using ACL syntax• Control Access to a Specific URL• Learn about ACL Precedence
March 2003 ACLs 29
ACL Exercises
• 30 minutes in length• Use breakout rooms• Instructor will visit all rooms• Broadcast announcement 5 minutes
prior to regroup• Stay focussed, start telnet, start GUI• Share microphones, or no one else can
be heard
March 2003 ACLs 30
Access Control Lists Exercises
Objectives When you have completed this module you will be able to control client access to the NetCache.
Exercise Overview The purpose of this activity is for you to perform the procedures to provide experience in using NetCache access control lists.. During these exercises, you will be guided through each step in the process, and will have an opportunity to verify that each step was successfully completed.
Time Estimate: 15 minutes
Required Hardware, Software, and Tools
Hardware
• Workstation
• NetCache appliance
Software
• NetCache 5.4
• Netscape Navigator 4.7
• Internet Explorer 5.5 or later
March 2003 ACLs 31
ACL syntax Describe the effect each of the following ACLs will have. Use your assigned NetCache appliance to test your answers.
1. deny url matches “badword”
2. What is the difference between the following two ACLs?
>deny url matches “http://www.mycorp.com”
>deny url http://www.mycorp.com
3. deny url-prefix ftp://www.mycorp.com/blocked/
4. deny ftp
5. auth time 9am - 5pm
6. redirect "http://mycorp.com/gambling-policy.html" smartfilter Gambling
March 2003 ACLs 32
1 for each of the following situations: 1. Require authentication for all members of the Finance group.
2. Deny access to CNN during working hours (9 am to 5 pm).
3. Do not require authentication for access to www.netapp.com.
Control Access to a Specific URL Configure the NetCache access control using the options on the Access Control page in the NetCache Manager utility.
1. From the NetCache Manager select Setup > Access Controls > Access Control Lists.
2. Select ACL Enable.
3. Scroll to the HTTP ACL section and enter the following:
deny url “http://www.netapp.com”
4. Commit changes.
5. Open a new browser window and try to access
“http://www.whitehouse.gov”
What happened?
6. From the NetCache Manager, go to Setup>Access Control>Access Control List.
7. Create an HTTP ACL to redirect requests for www.yahoo.com to www.hotmail.com.
March 2003 ACLs 33
www.hotmail.com.
netcache>redirect “http://www.hotmail.com” url “http://www.yahoo.com”
8. From a browser client, go to http://www.hotmail.com. and go to http://www.yahoo.com
What happened?
9. Go back to the NetCache Manager and change the redirect to rewrite and repeat.
10. From a browser client, go to http://www.hotmail.com. and go to http://www.yahoo.com
11. What is the difference between the redirect and rewrite rules?
March 2003 ACLs 34
ACL Precedence Exercise Configure the NetCache access control using the options on the Access Control page in the NetCache Manager utility.
1. Use a different browser and configure it to proxy through this NetCache and verify that you cannot access the URL.
2. From the NetCache Manager select Setup > Access Controls > Access Control Lists.
3. Select ACL Enable.
4. Scroll to Global ACL and enter:
deny url matches “http://www.hotmail.com”
5. Commit changes.
6. Test your ACL and access www.hotmail.com
What happened?
7. Scroll to the HTTP ACL section and enter the following:
allow url matches “http://www.hotmail.com”
8. Commit changes.
9. Return to the browser and attempt to access www.hotmail.com
What happened? Why?
10. Try some combinations of your own and observe the effect of ACL precedence.
11. To prevent conflicts with later labs, restore the saved configuration for you NetCache.