Has anybody got ICAP working with PIX or Cisco content engine and
Surfcontrol? If this worked wouldnt it be the best solution?

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of
Victor Williams
Sent: Tuesday, January 22, 2008 8:41 PM
To: Firewall Wizards Security Mailing List
Cc: firewall-wizards@listserv.cybertrust.com
Subject: Re: [fw-wiz] Enforcing content filtering with PIX515E

The simplest way to get SurfControl to example all packets headed to and
through your firewall is to put both your firewall and the surfcontrol
server on the same hub. SurfControl will automatically see all traffic
and make decisions on it accordingly.

If you have a switched network, depending on your switching fabric, you
should be able to set up port mirroring on the port SurfControl is
running on, and set it to mirror the port that the PIX is plugged into.

If you do have SurfControl licensed, you should have access by default
to their knowledgebase where they cover this in at least 4 different

Redirecting traffic from port 80 won't work...because the traffic will
get to the SurfControl server, but how in turn will the SurfControl
server then tell the traffic to proceed to the internet where it's
supposed to go, when that traffic is then going to be told to be sent
right back to the SurfControl server (itself) again? You're going to
get an infinite loop going there.

Also, just to clarify, SurfControl isn't a content filter. It's a URL
and port/protocol filter. It doesn't examine the full content/packets
of anything. It looks at how, say, a URL is classified as, and chooses
to allow or deny it based on your rules. It doesn't look at the content
of anything but it's own database of URLs, and decides how to process
your request.

Ian Rarity wrote:
> Hi all,
> Apologies if this is dumb, obvious or both, but I've never had to get a
> firewall to do this before. We've just signed up with SurfControl to
> provide us with content filtering for our web users.
> Actually getting all the various versions of various browsers on our
> network to use it as their proxy server is proving problematic; each
> version of IE seems to store the proxy URL in a different registry key.
> Also, thanks to our IT policy (or lack thereof), there's not much we can
> do to prevent users simply removing the proxy setting in their browsers
> and looking at whatever sites they please.
> So I thought I'd try reconfiguring our firewall to send any outgoing
> traffic on port 80 to the IP/port that SurfControl gave us. The
> access-list for the inside interface on the PIX currently reads:
> access-list acl_in permit icmp any any
> access-list acl_in permit ip any any
> In other words, anything on the inside interface is allowed to access
> anywhere. Am I right in thinking that to force outgoing port 80 traffic
> in the direction of SurfControl, I'd need to add a line to acl_in along
> these lines:
> access-list acl_in permit any host 80 8081
> Would this suffice, or do I need something more involved?
> Thanks,
> Ian.
> *********************************
> Ian Rarity
> Technical Engineer
> ESPC (UK) Ltd.
> ************************************************** *****************
> Private and Confidential: This e-mail transmission is strictly
> confidential and intended solely for the addressee. It may contain
> privileged and confidential information and if you are not the
> intended recipient, you must not copy, disclose, distribute or
> take any action in reliance on it. If you have received this
> e-mail in error, please delete it and notify our E-mail Systems
> Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
> accept any liability for any harm that may be caused to the
> recipient's system or data by this message or any attachment.
> ESPC (UK) Ltd is a company registered under the Companies
> Acts in Scotland (Registered Number SC203535), and having its
> registered office at 90A George Street, Edinburgh, Midlothian
> EH2 3DF.
> ESPC (UK) Limited is authorised and regulated by the Financial
> Services Authority.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards

firewall-wizards mailing list

firewall-wizards mailing list