[c-nsp] Block https

Ivan Pepelnjak ip at ioshints.info
Wed Jul 15 09:27:49 EDT 2009


You cannot block HTTPS on the router with anything but the IP-based access
lists because (by definition) the HTTP request (which the URL filter,
content filter or NBAR recognizing HTTP uses) is encrypted.

If you want to block HTTPS requests for particular hosts, you need a HTTP
proxy which intercepts the CONNECT requests and allows/denies them. You
could force the users to go through a proxy by blocking direct Internet
access for ports 80 through 443.

However, to block HTTPS access to Facebook, the easiest thing to do is this:

* do a DNS lookup for www.facebook.com
* do a WHOIS query for the IP address
* at the moment facebook does not use distributed CDN, so the IP address is
within the IP address range allocated to Facebook Inc.
* block the whole address range assigned to them.

... And keep in mind that this is a whack-a-mole game ;)
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: masood at nexlinx.net.pk [mailto:masood at nexlinx.net.pk] 
> Sent: Wednesday, July 15, 2009 1:03 PM
> To: Kevin Barrass
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Block https
> 
> Man, thts pretty straightforward. all u needed is
> 
> http://www.cisco.com/en/US/products/ps5855/products_configurat
> ion_example09186a0080ab4ddb.shtml
> 
> if i am remembering correctly, you can block https using 
> proxy/cache server; If it is Squid thn i can help you.
> 
> Regards,
> Masood
> 
> > Hi
> >
> > One I used a while ago to test was the below
> >
> > ip urlfilter allow-mode on
> > ip urlfilter exclusive-domain deny www.theregister.co.uk
> >
> > is a while since ive used this but you can check the Cisco Docs for 
> > the ip urlfilter feature, if you want to block based on IP just use 
> > access lists as normal to block traffic to that IP.
> >
> > Regards
> > Kev
> >
> > 
> []------------------------------------------------------------
> ----------------[]
> >   Kev Barrass                      			|  
> YHMAN Operations Team
> > 
> []------------------------------------------------------------[www.yhm
> > an.net.uk]
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net 
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad 
> > Khalil
> > Sent: 15 July 2009 08:44
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Block https
> >
> >
> >
> >
> > I want to block the url https://www.facebook.com
> >
> >
> > Without using NBAR
> >
> > Using access-lists ??
> >
> > And if I want to block based on the IP address it has a lot of IP 
> > addresses ( i dont want to block a whole class)
> >
> >
> > And the cache only blocks based on HTTP port 80
> >
> >
> > _________________________________________________________________
> > Invite your mail contacts to join your friends list with 
> Windows Live 
> > Spaces. It's easy!
> > 
> http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends
> > .aspx&mkt=en-us _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> 
> 



More information about the cisco-nsp mailing list