Beruflich Dokumente
Kultur Dokumente
Lists
March 2003
ACLs 1
Objectives
When you have completed this module
you will be able to do the following:
Recall regular expression syntax rules
Describe ACL building blocks
Set restrictions
Control access and requests
March 2003
ACLs 2
Types
March 2003
ACLs 3
Smartfilter Modifiers
Allows you to control access toWeb sites, for example, Web sites that contain
objectionable content.
March 2003
ACLs 4
March 2003
ACLs 5
re-auth
try-auth
proxy
set bitrate
<bitrate-range>
cache
no-cache
ACL Actions
ACL actions determine the type of control implemented.
Refer to Chapter 1, Access Control in the NetCache 5.4 Security Guide for specific
information regarding access control actions.
March 2003
ACLs 6
auth FTP
Require authentication for all FTP requests
deny FTP
Deny all FTP requests
Effect
auth FTP
deny FTP
March 2003
ACLs 7
March 2003
ACLs 8
March 2003
ACLs 9
ACL Syntax
Action
Variable Value
Example:
netcache>allow group finance
March 2003
ACLs 10
March 2003
ACLs 11
March 2003
ACLs 12
Redirect Rule
Grammar
rule destination source
Example
redirect http://www.mycorp.com/restricted.html
server-ip 128.125.51.1
Effect
When requested to go to server at 128.125.51.1
it will go to www.mycorp.com/restricted.html
instead
Redirecting requests
A redirect action immediately redirects the request back to the client, causing the clients
browser to attempt to fetch the new URL, usually through the cache. You can redirect
NetCache-generated access denied messages to a URL explaining why the access was
denied with instructions about how the user can resolve the problem.
Example:
To redirect requests from server subnet 128.125.51.1 to an internal web page, use the
Access Control Options on the Access Settings page of the NetCache Manager utility to
specify the following rule:
redirect http://www.mycorp.com/restricted.html
server-ip 128.125.51.1
Because redirect causes the client to issue a new request to the cache, a redirection loop
might occur. To avoid a redirection loop, use rewrite or use the Global Access Control
option on the Access Control Settings page of the NetCache Manager utility to explicitly
allow the redirection URL. For example,
allow url http://www.mycorp.com/gambling.html
March 2003
ACLs 13
Rewrite Rule
Grammar
rule destination source
Example
rewrite http://www.safe.com/restrict.html urlprefix http://www.block.com
Effect
Replace the http contents of www.block.com with
the contents of www.safe.com without
maintaining links
Rewriting requests
A rewrite will internally rewrite a URL, causing NetCache to fetch a different object and
return it to the client, if the request is allowed. You can also rewrite requests for restricted
objects to other URLs by creating a pattern-matching expression or rule that represents
the URL to which requests are directed.
Example:
To rewrite requests for block.com to safe.com use the Access Control Options on the
Access Settings page of the NetCache Manager utility to specify the following rule:
rewrite http://www.safe.com/restrict.html url-prefix
http://www.block.com
Optional syntax
Rewrite and redirect rules have the same action expression syntax. Optionally,
the action can be followed by a URL that is the redirection target. The URL must be
included in double quotation marks. For example,
redirect http://mycorp.com/no-gopher.html gopher <action>
URL <expression>
March 2003
ACLs 14
Evaluate
Match?
No
Next Rule
Yes
Auth or
rewrite?
Yes
No
Stop
March 2003
ACLs 15
HTTP
HTTP_Based Tunneling
Web Server Acceleration
FTP
NNTP
Streaming
Global
March 2003
ACLs 16
March 2003
ACLs 17
March 2003
ACLs 18
Example ACLs
allow client-ip 206.79.5.0/24 or client-ip 206.79.6.1
Allow access to the specified client IP addresses
auth ftp
Require authentication for FTP requests
March 2003
ACLs 19
More Examples
deny url matches badword
Deny access to any URL containing the specified bad word
deny ftp
Deny all FTP requests
redirect "http://mycorp.com/gambling-policy.html"
smartfilter Gambling
Send all requests for gambling sites to the specified URL
March 2003
ACLs 20
ACL Wizards
New feature and concept in NetCache
Provide methods to easily access sets of ACLs
Each wizard:
Scans full ACL list and returns relevant, simplified output
Takes a list of simplified input and converts this into the
ACL equivalents
If adding
Runs ACL validation on the new ACL input
Appends new ACLs if passed, otherwise returns error
If deleting, attempts to remove specified input
March 2003
ACLs 21
aclwiz
netcache> aclwiz
usage:
aclwiz show {keyword}
aclwiz add {keyword} {value|\\}
aclwiz delete {keyword}
[value|\\]
aclwiz set {keyword} {value|\\}
where {keyword} can be:
filter_exception
aclwiz command
In NetCache 5.4, you can use the aclwiz command as a simple way to set ACLs by using
the filter-exception template. This template enables you to allow specific URLs in a
WebWasher DynaBLocator or SmartFilter category that you have blocked. This
command takes two forms of input: HTTP URLs, for example, http://www.netapp.com
and any phrase used in a regex URL search.
Refer to the NetCache 5.4 Command Line Reference for additional information.
March 2003
ACLs 22
March 2003
ACLs 23
Solution:
NetCache has objective functionality within the ACL
infrastructure
Unfortunately, ACL manipulations are often complicated, and
a single change may have adverse effects
Additionally, customers may have low level administrators
who dont, and shouldnt, have the ability to modify ACL lists
directly
Therefore, ACL wizard functionality has been added to
allow simple, directed access to our ACL infrastructure
March 2003
ACLs 24
March 2003
ACLs 25
March 2003
ACLs 26
March 2003
ACLs 27
ACL Exercises
Practice using ACL syntax
Control Access to a Specific URL
Learn about ACL Precedence
March 2003
ACLs 28
ACL Exercises
30 minutes in length
Use breakout rooms
Instructor will visit all rooms
Broadcast announcement 5 minutes
prior to regroup
Stay focussed, start telnet, start GUI
Share microphones, or no one else can
be heard
March 2003
ACLs 29
Exercise Overview
The purpose of this activity is for you to perform the procedures to provide experience in
using NetCache access control lists.. During these exercises, you will be guided through
each step in the process, and will have an opportunity to verify that each step was
successfully completed.
Workstation
NetCache appliance
Software
NetCache 5.4
March 2003
ACLs 30
ACL syntax
Describe the effect each of the following ACLs will have. Use your assigned NetCache
appliance to test your answers.
1.
2.
3.
4.
5.
6.
deny ftp
March 2003
ACLs 31
2.
3.
4.
5.
Commit changes.
Open a new browser window and try to access
http://www.whitehouse.gov
What happened?
6.
7.
March 2003
ACLs 32
www.hotmail.com.
netcache>redirect http://www.hotmail.com url
http://www.yahoo.com
8.
9.
Go back to the NetCache Manager and change the redirect to rewrite and
repeat.
10.
11.
March 2003
ACLs 33
From the NetCache Manager select Setup > Access Controls > Access
Control Lists.
Select ACL Enable.
Scroll to Global ACL and enter:
deny url matches http://www.hotmail.com
5.
6.
Commit changes.
Test your ACL and access www.hotmail.com
What happened?
7.
8.
9.
Commit changes.
Return to the browser and attempt to access www.hotmail.com
What happened? Why?
10.
Try some combinations of your own and observe the effect of ACL
precedence.
11.
To prevent conflicts with later labs, restore the saved configuration for you
NetCache.
March 2003
ACLs 34
March 2003
ACLs 35