March 2003 ACLs 1

Access Control Lists

March 2003 ACLs 2

ObjectivesWhen you have completed this module

you will be able to do the following:• Recall regular expression syntax rules• Describe ACL building blocks• Set restrictions• Control access and requests

March 2003 ACLs 3

Access Control List (ACL) Overview• Rules for controlling access to the NetCache• NetCache is permissive by default (ACLs off)• Use ACLs to:

– Control client requests for access to protocols – Control user and group access to the Internet – Impose restrictions inside the intranet domain

• Types– User and Group– Global access control– Request-type access control– SmartFilter and WebWasher modifiers

Access Control List Overview ACLs are methods for controlling access to the NetCache Appliance by creating sets of rules, or access control lists (ACLs). NetCache is permissive by default; that is, ACLs are not enabled and no requests are denied. Access control settings prevent unauthorized clients from accessing the services of a NetCache Appliance and restrict the access of authorized clients. Sets of rules, or access control lists (ACLs), are used to control individual and group access to the Internet, and to impose restrictions inside the intranet domain.

ACLs govern client requests for access to web content and supported protocols, such as HTTP, FTP, Gopher, and Tunnel.

Individual and group access ACLs can be applied explicitly to authorized users, but they are also effective for administering access control to individuals as part of a group.

March 2003 ACLs 4

Global Access Control The Global Access Control option allows you to set rules to allow or deny access to web objects or domains by specifying URLs or servers to which you want to restrict access. Global access control settings are processed for every request sent to the NetCache Appliance. NetCache follows Global rules, regardless of any content category restrictions set in the SmartFilter options.

For example to deny access to a specific URL, use the following entry:

deny url "http://www.objectionable.com"

Request-Type Access Control The Request-Type Access Control option allows you to set rules that allow or deny access to particular types of requests, such as FTP. Generally, Request-Type settings are protocol-specific. NetCache follows Request-Type rules, regardless of any rules configured in the Global Access Control option and any content category restrictions set in the SmartFilter options.

For example to deny FTP requests between 9 a.m. and 5 p.m., specify the following entry:

deny time 9am - 5pm

Smartfilter Modifiers Allows you to control access toWeb sites, for example, Web sites that contain objectionable content.

Access Control - WebWasher DynaBLocator DynaBLocator blocks access to Internet content in prohibited categories. When you select a category or subcategory, all requests for content in that category or subcategory are blocked.

Access Control Options The Access control options settings allow you to specify a NetCache default action when no rule matches occur.

March 2003 ACLs 5

Access Control Lists• Simple language• Access controls applied to groups• Examples:

– Authenticate Internet requestsauth not server-name www.mycorp.com

– No gambling during business hoursdeny smartfilter gambling and time 9am - 5pm

– Only the executive staff can gamblere-auth smartfilter gambling and not group execs

ACL building blocks ACLs contain sets of rules that control client access to intranet and internet services. These rules, or ACL entries, allow or deny requests based on a number of variables, such as request headers and client IP addresses. ACLs are associated with specific users, groups of users, and types of requests, such as HTTP.

March 2003 ACLs 6

Access Control Actions

• allow• deny• redirect <url>• rewrite• rewrite-redirect• auth

• re-auth• try-auth• proxy• set bitrate

<bitrate-range>• cache• no-cache

ACL Actions ACL actions determine the type of control implemented.

Refer to Chapter 1, “Access Control” in the NetCache 5.4 Security Guide for specific information regarding access control actions.

March 2003 ACLs 7

Action Expression Syntaxallow client-ip 128.126.10.0/24

Allow access to the specified clients

auth FTPRequire authentication for all FTP requests

allow time 9am - 5pmAllow access between 9am and 5pm

deny FTPDeny all FTP requests

Action Expression Syntax ACL Effect

allow client-ip 128.126.10.0/24 Allows access to everyone on the 12.8.126.10.0 subnet

auth FTP Requires authentication for all FTP requests

deny server-name matches “.*\.net” Denies access to the .net domain

allow time 9am - 5pm Allows access between 9 a.m. and 5 p.m.

deny FTP Denies all FTP requests

March 2003 ACLs 8

ACL Rule Checking1. Check protocol authentication settings 2. Check ACL permission settings for the applicable

group in the NetCache user database 3. Check the request-type (protocol specific) ACL 4. Check Web accelerator ACL 5. Check global ACL 6. Verify whether WebWasher denies the request 7. Verify whether SmartFilter denies the request 8. Check group protocol permissions settings 9. Allow the request

ACL Rule Checking

March 2003 ACLs 9

Controlling Access to Web Objects

• Control access to URLs– block URLs– redirect requests

• Control access to the proxy– client IP address– network or subnet address

March 2003 ACLs 10

ACL Syntax

Action Variable Value

Example: netcache >allow group finance

March 2003 ACLs 11

Controlling Web Accessdeny url “http://www.corp.com”

Denies access to a specific URL.

deny server-ip 10.10.10.11Denies access to a specific server

deny server-name matches “www.bad.com”Denies access to a specific server

allow group “finance” and server-name www.bad.comAllows requests from the finance group to access bad.com

March 2003 ACLs 12

Controlling Client Accessallow client-ip 192.168.1.4

Allows a specific client access to NetCache servicesdeny client-ip 128.148.37

Denies a specific client subnet access to NetCache servicesdeny client-domain corp.com

Denies a specific client domain access to NetCache servicesallow time 9am - 5pm

Allows access to NetCache services from 9 a.m. to 5 p.m.deny group finance

Denies requests to access NetCache services from members of the finance group

March 2003 ACLs 13

Redirect RuleGrammar

rule destination source

Exampleredirect “http://www.mycorp.com/restricted.html”

server-ip 128.125.51.1Effect

When requested to go to server at 128.125.51.1 it will go to www.mycorp.com/restricted.html instead

Redirecting requests A redirect action immediately redirects the request back to the client, causing the client’s browser to attempt to fetch the new URL, usually through the cache. You can redirect NetCache-generated “access denied” messages to a URL explaining why the access was denied with instructions about how the user can resolve the problem.

Example: To redirect requests from server subnet 128.125.51.1 to an internal web page, use the Access Control Options on the Access Settings page of the NetCache Manager utility to specify the following rule:

redirect “http://www.mycorp.com/restricted.html”

server-ip 128.125.51.1

Because redirect causes the client to issue a new request to the cache, a redirection loop might occur. To avoid a redirection loop, use rewrite or use the Global Access Control option on the Access Control Settings page of the NetCache Manager utility to explicitly allow the redirection URL. For example,

allow url “http://www.mycorp.com/gambling.html”

March 2003 ACLs 14

Rewrite RuleGrammar

rule destination source

Examplerewrite “http://www.safe.com/restrict.html” url-

prefix http://www.block.com

EffectReplace the http contents of www.block.com with the contents of www.safe.com without maintaining links

Rewriting requests A rewrite will internally rewrite a URL, causing NetCache to fetch a different object and return it to the client, if the request is allowed. You can also rewrite requests for restricted objects to other URLs by creating a pattern-matching expression or rule that represents the URL to which requests are directed.

Example: To rewrite requests for block.com to safe.com use the Access Control Options on the Access Settings page of the NetCache Manager utility to specify the following rule:

rewrite “http://www.safe.com/restrict.html” url-prefix

http://www.block.com

Optional syntax Rewrite and redirect rules have the same action expression syntax. Optionally, the action can be followed by a URL that is the redirection target. The URL must be included in double quotation marks. For example,

redirect “http://mycorp.com/no-gopher.html” gopher <action> “URL” <expression>

March 2003 ACLs 15

ACL Evaluation Logic

Evaluate Match?

Auth orrewrite?

Yes

Next RuleNo

Yes

No

Stop

Start

March 2003 ACLs 16

Request Type ACLs• HTTP• HTTP_Based Tunneling• Web Server Acceleration• FTP• NNTP• Streaming• Global

March 2003 ACLs 17

Req-line acl variable• Uses only the request line in http request as its

value– GET http://web.netapp.com/ HTTP/1.0

• Allowed in HTTP acl only• Alternate way to deny specific http methods

– Deny req-line contains “GET”– Deny req-line matches “^POST”

• Req_headers might give false matches as it matches the all the headers

March 2003 ACLs 18

Protocol Specific ACL Examples• HTTP

deny url "http://www.gambling.com”• HTTP-Based Tunneling ACL

deny url "http://www.games.com"• Web Server Accelerator ACL

deny not accel• FTP ACL

deny ftp• NNTP ACL

deny nntp• Streaming ACL

allow client-ip xxx.xx.xxx.40where client xxx.xx.xxx.40 requests for streams are allowed.

Protocol Specific ACLs Rules set using the protocol-specific options on this page (including streaming MMS and RTSP) are request-type rules. Request-type rules control access to requests of a particular type, or protocol. Global rule settings, also on this page, impose restrictions on all traffic but do not take precedence over request-type rules when applied.

Refer to Online Help for specific configuration information.

March 2003 ACLs 19

Example ACLsallow client-ip 206.79.5.0/24 or client-ip 206.79.6.1

Allow access to the specified client IP addressesdeny server-ip 206.79.5.61

Deny access to the specified server IP addressauth ftp

Require authentication for FTP requestsdeny group peons and time 9am - 5pm

Deny access members of the group “peons” between 9am and 5pmdeny user bob and smartfilter Gambling

Deny any gambling related site requests from bobdeny smartfilter Worthless and time 9am - 5pm

Deny all requests for access to sites catagorized my Smartfilter as worthless between 9am and 5pm

March 2003 ACLs 20

More Examplesdeny url matches “badword”

Deny access to any URL containing the specified bad worddeny url-prefix ftp://www.mycorp.com/blocked/

Deny aceess to the specified FTP URLdeny ftp

Deny all FTP requestsauth time 9am - 5pm

Require authentication for all requests between 9am and 5pmdeny not ( auth or server-name matches "mycorp.com$")

Allow access to authenticated users or all access to the specified server while denying access to everyone else

redirect "http://mycorp.com/gambling-policy.html"smartfilter GamblingSend all requests for gambling sites to the specified URL

March 2003 ACLs 21

ACL Wizards• New feature and concept in NetCache• Provide methods to easily access sets of ACLs• Each wizard:

– Scans full ACL list and returns relevant, simplified output– Takes a list of simplified input and converts this into the

ACL equivalents– If adding

• Runs ACL validation on the new ACL input• Appends new ACLs if passed, otherwise returns error

– If deleting, attempts to remove specified input

March 2003 ACLs 22

aclwiznetcache> aclwizusage:

aclwiz show {keyword}aclwiz add {keyword} {value|\\}aclwiz delete {keyword}

[value|\\]aclwiz set {keyword} {value|\\}

where {keyword} can be:filter_exception

aclwiz command In NetCache 5.4, you can use the aclwiz command as a simple way to set ACLs by using the “filter-exception” template. This template enables you to allow specific URLs in a WebWasher DynaBLocator or SmartFilter category that you have blocked. This command takes two forms of input: HTTP URLs, for example, http://www.netapp.com and any phrase used in a regex URL search.

Refer to the NetCache 5.4 Command Line Reference for additional information.

March 2003 ACLs 23

Exceptions to HTTP Filteringusing an

“Access Control List Wizard”

HTTP Filtering using ACL Wizard

March 2003 ACLs 24

Exceptions to HTTP Content Filtering

• Objective: – Customer desires an easy way to poke holes into our 3rd

party HTTP content filtering libraries – For instance, the “Investment” category may be blocked, but

administration wants to allow access to 401k websites • Solution:

– NetCache has objective functionality within the ACL infrastructure

– Unfortunately, ACL manipulations are often complicated, and a single change may have adverse effects

– Additionally, customers may have low level administrators who don’t, and shouldn’t, have the ability to modify ACL lists directly

– Therefore, “ACL wizard” functionality has been added to allow simple, directed access to our ACL infrastructure

March 2003 ACLs 25

Translations and Heuristics of the HTTP Content Filtering ACL Wizard

• Takes two forms of input: 1. HTTP URLs, eg “http://www.netapp.com”2. Any phrase, used in a regex url search

• Converts input into ACLs: 1. “allow url “http//www.netapp.com”2. “allow url contains “any-phrase”

• Always appends to end of ACL list

March 2003 ACLs 26

Setup Access Control SmartFilter General

March 2003 ACLs 27

Setup > Access Control > WebWasher > Categories

March 2003 ACLs 28

ACL Exercises

• Practice using ACL syntax• Control Access to a Specific URL• Learn about ACL Precedence

March 2003 ACLs 29

ACL Exercises

• 30 minutes in length• Use breakout rooms• Instructor will visit all rooms• Broadcast announcement 5 minutes

prior to regroup• Stay focussed, start telnet, start GUI• Share microphones, or no one else can

be heard

March 2003 ACLs 30

Access Control Lists Exercises

Objectives When you have completed this module you will be able to control client access to the NetCache.

Exercise Overview The purpose of this activity is for you to perform the procedures to provide experience in using NetCache access control lists.. During these exercises, you will be guided through each step in the process, and will have an opportunity to verify that each step was successfully completed.

Time Estimate: 15 minutes

Required Hardware, Software, and Tools

Hardware

• Workstation

• NetCache appliance

Software

• NetCache 5.4

• Netscape Navigator 4.7

• Internet Explorer 5.5 or later

March 2003 ACLs 31

ACL syntax Describe the effect each of the following ACLs will have. Use your assigned NetCache appliance to test your answers.

1. deny url matches “badword”

2. What is the difference between the following two ACLs?

>deny url matches “http://www.mycorp.com”

>deny url http://www.mycorp.com

3. deny url-prefix ftp://www.mycorp.com/blocked/

4. deny ftp

5. auth time 9am - 5pm

6. redirect "http://mycorp.com/gambling-policy.html" smartfilter Gambling

March 2003 ACLs 32

1 for each of the following situations: 1. Require authentication for all members of the Finance group.

2. Deny access to CNN during working hours (9 am to 5 pm).

3. Do not require authentication for access to www.netapp.com.

Control Access to a Specific URL Configure the NetCache access control using the options on the Access Control page in the NetCache Manager utility.

1. From the NetCache Manager select Setup > Access Controls > Access Control Lists.

2. Select ACL Enable.

3. Scroll to the HTTP ACL section and enter the following:

deny url “http://www.netapp.com”

4. Commit changes.

5. Open a new browser window and try to access

“http://www.whitehouse.gov”

What happened?

6. From the NetCache Manager, go to Setup>Access Control>Access Control List.

7. Create an HTTP ACL to redirect requests for www.yahoo.com to www.hotmail.com.

March 2003 ACLs 33

www.hotmail.com.

netcache>redirect “http://www.hotmail.com” url “http://www.yahoo.com”

8. From a browser client, go to http://www.hotmail.com. and go to http://www.yahoo.com

What happened?

9. Go back to the NetCache Manager and change the redirect to rewrite and repeat.

10. From a browser client, go to http://www.hotmail.com. and go to http://www.yahoo.com

11. What is the difference between the redirect and rewrite rules?

March 2003 ACLs 34

ACL Precedence Exercise Configure the NetCache access control using the options on the Access Control page in the NetCache Manager utility.

1. Use a different browser and configure it to proxy through this NetCache and verify that you cannot access the URL.

2. From the NetCache Manager select Setup > Access Controls > Access Control Lists.

3. Select ACL Enable.

4. Scroll to Global ACL and enter:

deny url matches “http://www.hotmail.com”

5. Commit changes.

6. Test your ACL and access www.hotmail.com

What happened?

7. Scroll to the HTTP ACL section and enter the following:

allow url matches “http://www.hotmail.com”

8. Commit changes.

9. Return to the browser and attempt to access www.hotmail.com

What happened? Why?

10. Try some combinations of your own and observe the effect of ACL precedence.

11. To prevent conflicts with later labs, restore the saved configuration for you NetCache.

March 2003 ACLs 35