Content filtering solutions for BorderManager

Similar Messages

• ASA CX content filtering, looking for suggestions

  I wanted to get some feedback on how the rest of you security folks are doing web content filtering.
  The CX does a great job with HTTP but when it comes to HTTPS it leaves a lot to be desire. When the CX first went live, it was configured to decrypt all HTTPS traffic and Deny transactions to servers "Using an untrusted certificate" and "If the secure session handshake fails" turned on.
  Immediately I started to implement the "Do not decrypt" policy and it worked great for most websites experiencing HTTPS decryption issues. Other websites required that HTTPS certificate be imported to the CX for it to work.
  However, due to the constant "error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext" I experimented with different work a rounds till I found these articles.
  http://www.exploresecurity.com/the-small-print-for-openssl-legacy_renegotiation/
  https://www.digicert.com/news/2011-06-03-ssl-renego.htm
  TAC's suggestion was to create a deny statement (using an object group that defines the FQDN) at the top of the ACL that send the traffic from the ASA to the CX. This was the only way to keep the CX deny "Using an untrusted certificate" and "If the secure session handshake fails" decryption settings turned on.
  Now I feel I am back at square one as the number of exceptions have grown exponentially. This has led me to believe that I need to revisit the way that content filtering is being implemented. My goal is to apply a simple yet scalable solution. As I see it, I can continue to add to the "ASA to CX" exemption list, this is not a scalable solution as it requires all FQDN to be defined (ex. bank.com, server1.bank.com, server2.bank.com, etc). The alternative is to relax the CX decryption configurations which I feel is the equivalent of removing a car's airbags for weight reduction to make it faster.
  Any input would be appreciated!

  I've come to the conclusion that SSL decryption is only possible where a robust PKI has been deployed in an enterprise. Even then we would ideally use a dedicated SSL decryption appliance so we can hand the CX (or ASA with FirePOWER service module) plain old http for inspection.
  The software modules just don't have the processing power to be able to do line rate decryption for any but the most modest throughput rates.
  Also, the CX is being deprecated going forward in favor of the FirePOWER modules so you won't see any significant new feature addressing this shortcoming on the CX.

• Spam filtering solution for iPhone and a question.

  I've read a lot of posts about spam filtering for the iPhone and have yet another solution and a question. I use SpamSieve and I am not affiliated with them in any way. The nice thing about SpamSieve is that if it is the first rule in your Mail.app rule set any mail that follows has already been filtered. All you need to do then is create another rule that redirects email to what ever mail account you choose. Since my ISP allows multiple accounts, I will simply create an iPhone@myISP account.
  Now the question. Is it possible to write an applescript that will turn the redirect rule on or off so that I don't have to dig into the rules section of Mail to get this done?
  Thanks

  Is it possible to write an applescript that will turn the redirect rule on or off so that I don't have to dig into the rules section of Mail to get this done?
  not at present time

• Internet Content Filtering Server for Mac OS X Server?

  Hello everyone,
  I was wondering if anyone knew of a product that would allow my LAN to have Internet Filtering. It would be really good if I could set up my Mac OS 10.4 server as a gateway that will allow users access to the web with a username and password. It would also be good if I could have guest access of restricted access that would only allow certain websites to work.
  I guess I am looking for some form of proxy server?
  Any ideas anyone?
  Thanks,
  David

  I use Firefox, becasue I never put in the time to learn how Safari controls temporary/permanent cookie storage.
  Firefox also has a large selection of add-ons to prevent javascript running or "tracking links" inside web pages, etc.

• HT2518 i have used migration assistant to move emails in outlook to mac but some of emails moved without contents, any solution for this problem?

  i have used window migration assistant to move emails in windows pc to mac. mails mostly moved without problem but some of them moved without content. i tried to find out if there is anything common in these emails of problem but cannot identify any hint. please help

  The Dropbox folder is a subfolder of the home folder, which has the same name as the user account. It's under the Users folder at the top level of the startup volume ("Macintosh HD," unless you gave it a different name.)

• IOS Content Filtering - Is No More ?

  Cisco very quickly End of Lifed the IOS Content Filtering offering last year
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/eol_c51-698205.html
  For something with a minimum of a yearly lic involved, the EOL timing is shocking - you could have ordered product with a 1 year lic and come back now to find the offering is now dead (as in our case) so much for ROI !
  Cisco are pushing Scansafe as their current offering, which has probably led toa  falling out with Trend who provided the underlying service for
  IOS Content Filtering. Scansafe does not economically cover the low end application, for which IOS Content Filtering was ideal i.e SMB space with 8xx or low end ISR routers. The Cisco answer is basically "perhaps you want to go and investigate solutions form other suppliers"
  So we are left with a router platform which is fine and  content filtering which was fine but are now unable to re-licence the URL filtering service and will stop working in about 30 days and there is apparently nothing we can do about it
  Does anyone know if Trend still operate the URL filtering subscription service and whether theire is a way of geting a subscription renewal direct ?
  (i'm not holding my breath on that - I am guessing the IOS content filtering hooks for the service being certificate based + Cisco license process will make that hard for anyone but Cisco)
  Or of any alternative simple and cost effective solution we can configure the router to use
  (please tell me we're not back to SurfControl/Websense solutions again..)
  thanks
  Sez

  Approached the Cisco AM - frankly there was little or no interest in fixing such a low value problem. The spin was the Trend relationship ending was beyond Cisco control and Cisco hands tied - i.e. its not our fault (but strangely the problem is the customers)
  Yes we could get some TMP discount - against the original hardware purchase but the hardware for lowend installs is negligible, it is the services time/cost in getting solution (and any replacement) into deployment which is the costly part and TMP makes no allowance for that.
  Also scansafe solution is much more expensive, compared to IOS URL Filtering, so even taking off the minor TMP discount the answer form Cisco is basically - yep spend more money with us and we'll fix the problem we created for you. And why is there so little normal info on Cisoc.com for scansafe - i.e. covering SKU/ordering models etc... It always just ays 'ask your Cisco AM for details' - that may have worked when Scansafe was a separate company but a Cisco AM is unlikely to even answer the phone to talk about a $3K order
  If Cisco really wanted to protect customer investment, why couldn't it provide through Scansafe a replacement service for IOS URL Filtering service, at similar cost and pricing model to that provided by the Trend integration? i.e. same kit, same config but pointed at scansafe cloud rather than Trend cloud. Then there would be no issue and a clean migration path provided for Ciscos valued customers
  Probably answering my own question but scansafe appears to return to a cost related to the user count, whereas IOS URL Filtering service was a simple one off cost per router. This was ideal for low end application (the ISR800 series size of deployment) and comparable scansafe is way more expensive.
  I have found we are not alone in this, most customers are only finding out about this mess when existing IOS URL Filtering licence's expire and go for renewal only to find the 3 month EOL process has stealthily boatanchored their implementation.
  Sez

• DHCP reservation & DNS for content filtering

  Hi All,
  I am working around with server 2008 for quite a while and facing a problem as below,
  1.DHCP reservation error
  Server Ip:192.168.0.254 (configured as DNS server for local use only with AD & DHCP)
  DHCP scope: 192.168.0.100 to 192.168.0.200 excluded 192.168.0.100 to 192.168.0.110
  earlier the same scope was 192.168.0.10 to 192.168.0.100. I was facing a error when I make a IP reservation against a MAC number error was " The unique identifier may not be correct do you want to use the identifier anyway" when I click yes "DHCP
  server received a message from a client that is not valid" and by this error I am not able to make any reservations now against MAC numbers.
  The same error was also on the earlier scope and that's why changed to a new scope but did not work. Any solutions will me much appreciated
  2.DNS fine tuning. 
  I have an open DNS account on which my WAN IP number is configured to do a content filtering. I have two LAN ports with the below IP number
  Local : 192.168.0.254 ( configured with no gateway and DNS as loopback (127.0.0.1)
  ISP: 192.168.0.253 (with ISP gateway and DNS as loop back adapter & open DNS)
  I have did a content filtering and things are working fine. But I got to open up some machines out of this content filtering and when I try to give the IP number in this below fashion.
  192.168.0.115
  255.255.255.0
  192.168.0.1
  DNS
  192.168.0.254
  ISP DNS to avoid filtering
  I find that 192.168.0.254 does the resolving and things are still filtered as per the schedule. Is there a way where we can configure 192.168.0.254 (Local DNS server) to stop resolving web requests and only cater to resolving local names for connectivity.
  I do know its too long but solutions for the same will be help me out to solve it. Thanks in advance.
  Regards,
  Vaschell

  Hello,
  I have found something strange on the DHCP reservation. When I try to add a MAC number out of the network its able to make out a reservation.
  Is there any way to clear the MAC number cache or something else which I can try.
  A copy of the ipconfig /all for the server is below,
  C:\Users\Administrator>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : server
     Primary Dns Suffix  . . . . . . . : xyzabc.com
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : Yes
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : xyzabc.com
  Ethernet adapter LOCAL:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connectio
  #2
     Physical Address. . . . . . . . . : 00-1E-67-A4-F4-DC
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.0.254(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . :
     DNS Servers . . . . . . . . . . . : 127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter ISP:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connectio
     Physical Address. . . . . . . . . : 00-1E-67-A4-F4-DB
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.0.253(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.0.1
     DNS Servers . . . . . . . . . . . : 127.0.0.1
                                         208.67.222.222
                                         208.67.220.220
     NetBIOS over Tcpip. . . . . . . . : Enabled
  PPP adapter RAS (Dial In) Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : RAS (Dial In) Interface
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.0.205(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter Local Area Connection* 8:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{0602F6CF-4B32-491F-994A-3C0952D
  B54}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 9:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{6A14710B-A078-4AF9-BD7A-989767F
  377}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 11:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 02-00-54-55-4E-01
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 12:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Users\Administrator>
  Thanks,
  Vaschell

• Cisco Content Engine for Content Filtering

  Hi All,
  I am looking for a low end solution for Content Filtering and would like to use Cisco Content Engine.
  1. The documentation said that Websense, Secure Computing SmartFilter (does not require separate SmartFilter) & N2H2 support is there on the CE. I used configurator on CE 510, but it did not give me option for any of those. I would appreciate any input in this regard.
  2. Also, I assume that once I get a Content Engine, I don't need to use Microsoft Proxy any more, please confirm.
  regards,
  Ahmer Ghazi

  You would have to Install the Smartfilter software on the Content engine that would work with the ACNS software running on the CE. SmartFilter software operates inside your network to control user access to external Internet resources and allows you to restrict access to World Wide Web pages, newsgroups, and FTP sites.
  For more details refer:
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns41/smrtfltr/sf_chap1.htm
  The Content Engine does the job of storing content locally and serving it to the users, so you would not need to use the Microsoft Proxy.

• Content filtering for Public WiFi

  About 2 years ago, we set up free public wifi for our county park/zoo (we're government) and are using OpenDNS Umbrella services.  During the summer months, we have about 5k visitors/day, and during peak days, about 10k visitors/day.  We only really need a content filter for these people because it's a totally different pipe from our business network.  The OpenDNS solution works good for us, but it gets a little pricey because they charge per AP (we're running Ruckus AP's if anyone's curious).   
  The cost really hasn't really been an issue, but we're adding another 40 AP's for a different campus (Healthcare setting, residents) and the price per AP will start to add up.
  Anyone have suggestions for any other solutions that might work in this scenario?
  This topic first appeared in the Spiceworks Community

      chiz1,
  Content filtering can be very important. You can limit certain services with our FamilyBase service http://vz.to/MYAZU9 What type of services/content were you looking to filter?
  LindseyT_VZW
  Follow us on Twitter @VZWSupport

• I cannot access Content Library in iMovie - Content Library doesn't show on the iMovie screen and is greyed out when accessed through "windows" tab at the top. Also unable to update the projects/events (a suggested solution for a similar question).

  I cannot access Content Library in iMovie - Content Library doesn't show on the iMovie screen and is greyed out when accessed through "windows" tab at the top. Also unable to update the projects/events (a suggested solution for a similar question). I haven't had this issue before, I have always used the content library on the screen but haven't used this for about a month. How can I make the Content Library available?

  Thanks so much! I am backing up the entire computer now with an external hard drive - this should be fine right? And surely if I am backing up the whole computer these projects/videos will be backed up too? I wasn't sure how to do this any other way and I am clearly not great with tech issues. Once this is done and I am sure my projects/videos are safe I will do the delete and reinstall bit. Thanks for taking the time to help

• Download of Firefox for Mobile is inhibited because "Your content filtering level doesn't allow you to download this item." How do I correct my content filtering level?

  I have a Samsung Galaxy SII with T-Mobile. The model #is SGH-T989, Android version 2.3.6

  "Content filter" is the Android Market's method for restricting certain applications that may provide access to "mature" content. You can disable content filtering in the settings of the Market app on your phone.
  -Michelle

• Looking for a clone solution for Oracle WebCenter Content, Imaging and related products

  Hi,
  We are looking for a manual or automated cloning solution for Oracle WebCenter Content (UCM), Imaging (ICM) and related products. Oracle FMW has T2P cloning option, but we are looking for more specific to just this product to clone and configure (if needed). Any help is appreciated.
  Best Regards

  Hi
  Assuming you have set up Purchasing with accrual method on receipt (and not on period end), you could enter the PO lines with receipt required. The receipt transactions you are uploading will generate the accounting to charge the expense accounts / or inventory valuation account.
  There is no need to interface those also to Payables. In AP enter one invoice with the real monthly amount and match it to the purchase order level or to the receipts level. Approve and pay that invoice.
  Dina

• Are Content Filters available from Verizon for Apple iPhone 5c?

  I noticed that Verizon offers Content Filters for my kids' Apple iPhone 4, but one is not offered for the 5c.  Is that correct?
  If so, what are some good alternatives for a dad concerned about his son's access to the garbage on the interweb?

      CluelessDad We understand the importance of content filtering for your devices. The 4g apple devices do not support our content filtering options. You can try going into the settings for the brwoser on the device settings, general,restrictions and restrcition options.
  Sheritah_vzw
  Follow us on Twitter
  @VZWSupport

• Content filters for teens

  How do I set content filters for teenagers on iPhone 6?

      DBruce
  I definitely want to make sure you have all the answers you need to set up your teenager's device the way you want! There are built in Parental Controls in the iPhone 6. Check out all the details right here: http://bit.ly/1zZc3Pk
  RuthW_VZW
  Follow us on twitter @VZWSupport

• Content Filtering for new tablets

  We did this last year with our tablets. We went with iboss filtering which I highly recommend but it looks like you have web filtering in place so you would need to proxy the internet traffic. Contact the tech support of your web filtering and explain them what you need to do and they will tell you what needs to be done on your end. Then you would have to create configuration profile and push (you need MDM here) the proxy configurations to your tablets. 

  Hello all,
  I work for a local high school and they just bought tablets for all of the kids to use during the school year. They are wanting content filtering while they are at school, which we have, but they are also wanting "off site" filtering as well. What/How is the easiest way to set that up? We currently have a Cisco Meraki firewall setup for the high school.
  This topic first appeared in the Spiceworks Community