Technology Blog

Web Content Classification - a powerful new policy tool for the PEF Firewall

by Moderator ‎08-13-2014 04:50 PM

Last week, we released ArubaOS 6.4.2 for Mobility Controllers.  This release adds a significant new feature - Web Content Classification - to the already powerful set of controls included as part of the Policy Enforcement Firewall.  Let’s take a look at what it does, and how to use it alongside our application visibility and control, or “AppRF”.

Web Content Classification extracts URLs and hostnames from all traffic as it traverses the Aruba Networks Mobility Controller.  These URLs are then looked up in a local cache.  If there is no entry locally, a query is made to the cloud.  This allows customers to analyze and control the web browsing behavior of users based on category and risk.  There are 82 different categories, and five different levels of risk.

These two pieces of information - category and risk - can then be used in the Policy Enforcement Firewall to control traffic, just like you can use IP addresses, ports, and application information.  This means that you can block entire categories, rate limit them, and raise or lower the quality of service for each.  And just like with applications, these controls can be applied via the global policy, where they will affect  all users, or they can be applied only to certain roles.  

Web Categories
Here’s a look at the categories we use for classification.  They are  designed to allow you to enforce acceptable use policies and block or rate limit traffic based on these policies. It’s important to note that a website can be a member of more than one category.  So if you make a rule based on a category, it will be enforced if any of the categories returned for the site matches.

Pasted_Image_8_12_14__10_56_AM.png

There are a couple of very powerful applications of these categories I’d like to point out.  

First of all, there are five categories directly related to internet security.  These are Malware Sites, Phishing and Other Frauds, Spyware and Adware, and Spam URLs.  All of these categories are examples of places that you just don’t want to go.  These destinations have been found to exist strictly for these evil purposes.  Therefore, it would be an excellent idea to create rules blocking these sites, so that users of your network don’t visit them and become infected with malware or fall victim to a scam.

Secondly, there are a few categories that can help you control the bandwidth used on your wireless network.  Specifically, CDNs, Peer to Peer, and Streaming Media are categories that, if abused, could lead to quite a bit of traffic on your Wi-Fi network.  Depending on your business, these might be candidates for rate limiting.

One of the questions I am often asked about Web Content is how it is different from AppRF?  AppRF relies on deep packet inspection - looking for signatures, following protocol finite state machines, examining SSL certificates and metadata, and applying advanced heuristics on packet flows.  The result of these techniques is to classify about 1500 applications into 21 different categories.  These numbers are very good - better than most Wi-Fi vendors.  However, there are obviously millions of websites and web “applications” with new ones being created every hour of every day.  That’s where Web Classification comes in, with a database of over 20 million sites and growing.

There are a small number of categories of content that line up with AppRF categories.  Peer-to-Peer and streaming media are the most obvious.  If you’re trying to bandwidth limit, QoS, or block these types of apps, the web content classification feature will have a far wider set of websites and web applications that it can block, and that list will change quickly over time as new sites become available.  So if you are comfortable with a ‘wide net’ when enforcing policies, web content is the way to go.  If you’d rather just block a finite, know set of applications, then application categories are the best way.  

Note that you can get a list of applications that are part of an application category by using the CLI command “show dpi application category <name of category>”.  There is no way to get a list of all the sites that are part of a web content category.

Web Reputation
Another powerful feature of Web Classification is Web Reputation.

Web Reputation is a value from 0-100 based on how dangerous a website is.  We simplify this into five different levels for configuration purposes.  You can create policies to block websites based on their reputation, independent of what category a given website may fall under. This reputation is based on criteria such as:

  • Does the website have links to malware sites?
  • Does it have malware on it, or has it had malware in the recent past?
  • How long has the website existed?  Many malware sites have a very short lifespan.

Evernote.png

It would generally be a good idea to make a rule to block all traffic that is classified as “suspicious” or “high risk”.  These categories typically include no sites that are worthy of your users’ attention, and you should see less malicious activity on your network if you do so.

Exceptions
Another frequently asked question is “how do I override a categorization I don’t agree with?”  Since Web Content is seamlessly integrated with the PEF firewall, this is a very simple thing to do.  If you are trying to block all gambling sites, for example, but your CEO loves playing poker for free on pokerstars.com, all you need to do is make a “net destination alias”.  Put the alias above the rule that blocks the category, with a ‘permit’.  Since this rule will hit first, it will allow traffic to pokerstars while blocking the rest of the gambling category.  Check the GUI example below: 

Security_User_Roles.png

System Requirements
Web Content Classification is included with the 6.4.2 build, and requires a PEF license.  It is supported on all 7000 and 7200 series controllers.  Note that Aruba Instant has a similar feature in their 4.1 release, which is also available now. 

Comments
MVP MVP

There was talk of needing a license with the IAP version, is this still the case?

Moderator

Yes, there is a license for the feature on IAP.  Contact your channel partner or sales person for details.

 

However, we encourage everyone to try the feature for a short trial period and see if you like it.

Hi,

 

How this works about the Database? is online with arubanetworks, opendns o partner o what?

 

Regards.

Moderator

This feature is enabled by brightcloud.com's Web Classification and Web Reputation services.  There is some great information here - http://www.brightcloud.com/platform/webroot-intelligence-network.php - about how it works.  

 

Here are some interesting statistics about the web classification database:

 

The Webroot Intelligence Network includes:

  • 13 Billion URLs
  • 4 Billion File Behavior Records
  • 460 Million Domains
  • 740 Million IP Addresses
  • 7 Million Mobile Apps
  • 8 Million Connected Sensors
pgemme

Looks awesome!  Now we've really gotta rush and replace those AP70s. 

 

Would there be a way to single out bittorrent?  I would imagine Peer-to-Peer would be mostly that, just curious of potentially 'good' uses I'd be blocking.  Also, any idea if it blocks the inital 'seed'?

Moderator

You can use the AppRF application control feature to block bittorrent.   It's very hard to completely block it if the user has already gotten a torrent file (we will block torrent files effectively) so I actually recommend rate limiting it to 256K up and down also.

ecardanha

Looking forward to seeing this feature.  Had a questions about it.  It was mentioned in the release notes that an annual subscription will be required at a future time any idea on a time frame?  Also how that subscription will be done whether per Access Point or per Controller?

MVP MVP

Hello i got a question

Would the AppRF and the web filter would work  with an AP in split tunneling mode?

 

The idea we got is this

The client got a controller in the HQ

And got many RAPS in small branches.

 

The RAPS are configured as split tunnel as they want to authenticatre with captive portal but send the internet traffic through the  branch Internet.  They do not want to do tunnel mode  becuase they dont want to have internet traffic of the remote sites on the HQ.

 

Would the AppRF and the Webfilter will work inthis scenario for the clients in the branches connecting to the captive portal? or this just work in tunnel mode?

 

Cheers

Carlos?

mbayhylle

Will this be made available to the 3600 series of Mobility Controllers?

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Announcements
Read all about it! If it’s happening now, it’s in the community.

Check out the latest blogs from your community team, the community experts and other industry sources.
Labels