JNCIS-SEC [ Content Filtering ]

Content filtering blocks or permits certain types of traffic based on the MIME type, file extension and protocol command. The content filter controls file transfers across the gateway.

The content filter module evaluates traffic before all other UTM modules except Web Filtering.

There are three types of content filters:

1) MIME Pattern Filter: It is used to identify traffic in HTTP and MAIL protocols. There are block and exception lists of MIME patterns. Exception list takes precedence over block list. If the same entry exists on  both block and exception list, that type of traffic won’t be blocked because it is in the exception list.

2) Block Extension List: Blocking based on the extension of the file

3) Protocol command block/permit lists: By blocking or allowing certain commands, traffic can also be controlled on the protocol command level.

Configuration of Custom Objects

[edit security utm]
root@host# show
custom-objects {
    mime-pattern {
        mime-list {
            value [ video/quicktime image/jpeg ];
        }
        ex-mime-list {
            value video/testmime;
        }
    }
    filename-extension {
        extlist1 {
            value [ zip rar vbs ];
        }
    }
    protocol-command {
        ftpproto1 {
            value [ user pass port ];
        }
    }
}

Configuration of Feature Profile

[edit security utm]
root@host# show feature-profile
content-filtering {
    profile confilter1 {
        block-command ftpproto1;
        block-extension extlist1;
        block-mime {
            list mime-list;
            exception ex-mime-list;
        }
        block-content-type {
            java-applet;
            exe;
            http-cookie;
        }
        notification-options {
            type message;
            notify-mail-sender;
            custom-message ” operation failed “;
        }
    }
} Configuration of utm policy

[edit security utm]
root@host# show | find utm-policy
utm-policy utm-con {
    content-filtering {
        http-profile confilter1;
    }
} Applying utm policy to security policy

[edit security policies from-zone trust to-zone untrust]
root@host# show
policy cont-filtering {
    match {
        source-address any;
        destination-address any;
        application junos-http;
    }
    then {
        permit {
            application-services {
                utm-policy utm-con;
            }
        }
    }
}

Monitoring Content Filtering

root@host> show security utm content-filtering statistics
 Content-filtering-statistic:         Blocked
     Base on command list:                    0
     Base on mime list:                       0
     Base on extension list:                  0
     ActiveX plugin:                          0
     Java applet:                             0
     EXE files:                               0
     ZIP files:                               0
     HTTP cookie:                             0

You have a feedback?