Introduction

This articles describes how to restrict Web access by blocking ALL sites by default and then allowing specific sites. This scenario does not require a Webwasher URL Filtering subscription.

Before You Begin

Here are some things to note before you begin:

• You will not be able to access the Internet on port 80 or port 443 unless the destination is in the allowed lists, so DNS resolution must work if you use Web Lists.
• The number of allowed destination URL fragments in the Web Lists should not rise above ~ 500 or there will be a significant performance penalty while the Pattern Matching Engine and DNS Resolver work. If short-string URLs are not used it may be wise to keep the number of entries below ~ 100. The overhead for IP addresses in the ACL tables is much, much lower so resolve the sites and enter IPs whenever it is practical. Remember that you will need to change IPs if the site host's IP changes. Load balanced sites will have to include every IP or use a URL fragment in the Web Lists.
• Allow and Block features form a matrix of controls. They are not absolute and can change behavior depending upon which features are in use as well as the setting of the Access Control Default Action (Allow or Block). The following priorities are enforced; showing that Web List Allow trumps Packet Filtering Rules and ACL Block Lists. This means that specific workstation IPs cannot be completely blacklisted when using Web Lists. When the Access Control Default Action is set to Block, it also means that specific workstation IPs cannot be completely whitelisted for unrestricted Internet access. If Web Lists are not used, the priorities and restrictions change.

  Access control options operate in this order for WWW access:

  1. Web list allow
  2. Web list deny
  3. Security policy enforcement (Interface Firewall Classes & Packet Filtering Rules)
  4. ACL allow lists
  5. ACL block lists
  6. Content filtering (Webwasher URL Filtering Subscription)
     
     
  Access control options operate in this order for all other Internet access:
  1. Security policy enforcement (Interface Firewall Classes & Packet Filtering Rules)
  2. ACL allow lists
  3. ACL block lists

Procedure

You will need to activate Access Control (Web Proxy), change the Default Action, and then enter the allowed destinations in the ACL and Web Lists tabs.

1. Go to Firewall > Access Control and check Enable Access Control. User Authentication on the SnapGear local user database is optional. Change the Default Action to Block. Leave the Syslog Level at Zero. You cannot use Fast Web Mode with ACLs or Web Lists. Click Submit. All Web traffic routed through the SnapGear should now be blocked.

    

2. Go to Firewall > Definitions and select the Addresses tab. Create New ‘Single Address or Range’ IP address lists for Web Whitelist. If the required addresses are not in a contiguous range, you will need to create New ‘Single Address’ entries and add them in a New ‘Address Group’ list.

   The Web Whitelist will form the allowed destinations list defined by IP. Place as many entries as is practical here. The names of defined objects can vary as desired but must be unique on the SnapGear. If multiple SnapGear appliances are being managed by Command Center, the IP address list objects with different data must be unique across ALL of the managed SnapGear devices.

    

3. Go to Firewall > Access Control > ACL tab and select the drop-down list for the Allowed Destination Hosts. Choose the Web Whitelist Address Range or Address Group. Click Submit. All servers and workstations should now have access to the Web Whitelist destinations. You don't need an entry for Blocked Destination Hosts because the Access Control Default Action is set to Block.

    

4. Go to the Web Lists tab and add entries for the URL Allow List. The URL Block List is not required because the Access Control Default Action is set to Block. Access to each Web site should be allowed as soon as you click the Add button. Web List entries cannot be edited, but they can be deleted and added again with the required changes. You can copy desired sections of an existing entry from the browser before deleting it. Consider the following cautions from the Online Help Page [The (?) Button]:

   This section of access control enables configuration of allowed and blocked URL fragments. Only WWW browsing will be restricted by these settings and if a requested URL matches contains any of the URL fragments defined, the rule will be triggered.

   Defining overly short URL fragments can result in many sites matching and being allowed or denied erroneously.

   There is a maximum limit on the size and number of the URL fragments but due to the arcane way they are processed, it is difficult to quantify exactly what the limit is. The limit depends not only on the number of fragments and the length of these fragments but also on the specific textual content making them up. However, hundreds or even thousands of reasonable length fragments should be within the limit and will incur only a slight time cost for filtering.