TABLE OF CONTENTS PIX firewalls can enforce an acceptable use policy for Web access, as well as handle active content such as ActiveX or Java applets, which could be used to hide malicious codes.
It is possible to use ACLs to filter Web sites, but if the list of sites grows long, this solution will affect firewall performance. ACLs do not allow you to specify specific Web pages. One common approach is to offload these duties to a dedicated URL filtering server, which allows for fine-tuning of Web access controls. The sequence of events is as follows:
A client establishes a TCP connection to a Web server.
The client sends an HTTP request for a page on this server.
The PIX intercepts this request and hands it over to the filtering server.
The filtering server decides if the client should be allowed access to the requested page.
If the decision is positive, the PIX forwards the request to the server and the client receives the requested content.
If the decision is negative, the client's request is dropped.
Figure 8.9 demonstrates this process.
The PIX can interact with two types of filtering servers: Websense (www.websense.com) and N2H2 (www.n2h2.com). Websense is supported in PIX version 5.3 and later, and N2H2 support was added in version 6.2. PIX URL filtering is applied only to HTTP requests. The PIX also does not...
