CacheGuard OS
User's Guide - Version 5.7.6

URL Guarding

The URL guarding feature allows you to restrict the Web usage by filtering unwanted URLs in your organisation. This feature is based on blacklists (denied) or white lists (authorised) of domains and URLs. This way you can give access only to authorised Web sites enumerated in your white lists or deny contents enumerated in your blacklists. A default guarding policy can be configured for all users. There is also the ability to configure specific guarding policies based on end users IP addresses.

A very simple example is a school. In such an organisation young children should have very restrictive access to the Web while teachers and other staff may have lesser restrictive access. To configure a very restrictive guarding policy you may use white lists of authorised Web content for classrooms. To configure a lesser restrictive policy for the staff you may deny only unwanted Web content (aggressive, porn, drugs...) and authorise everything else by using blacklists.

To define a guard category named "webMail", use the following command:

guard category add webMail
apply

This command creates an empty guard category named "webMail". The content of a guard category should be loaded from files located on a trusted file server (FTP or TFTP). A file server is declared trusted with the command "access file".

The content of a guard category should be defined in three compressed (gzip format) text files having the same base name but different extensions according to the content of those three files :

The first file should have the ".domains.gz" extension and contain a list of domain names. Only one domain name is allowed per line. Note that domain names enumerated in such a file should be base domain name without any prefixes. For instance "example.com" is a good eligible base domain name while "www.example.com" is not a good candidate.

The second file should have the extension ".urls.gz" and contain a list of URLs. A URL is in the form <domain-name>/<uri> where the <domain-name> is a fully qualified domain name. Only one URL is allowed per line.

Finally the third file should have the extension ".expressions.gz" and contain a list of regular expressions. Only one regular expression is allowed per line. When using regular expression lists, every accessed URL is verified against regular expressions and in case of a pattern matching access that URL is rejected.

To set the content of the previous guard category "webMail" from the two files "webmail.domains.gz" and "webmail.urls.gz" located on the TFTP file server "172.18.2.1", use the following commands:

guard category load create webMail tftp 172.18.2.1 webmail domains urls
apply

After creating guard categories, two methods are available to define a guarding policy for a given subnet: The "deny" method with blacklists and the "allow" method with white lists. Like any other feature present in the appliance, the guarding feature may be activated or deactivated at any time. To activate the guarding feature, use the following commands:

mode guard on
apply

Deny method with Blacklists

The "deny" method consists of forbidding the access to Web objects defined in blacklists. Web content not included in those blacklists are authorised. For instance to forbid the access to "webMail" sites for end users located in the subnet 10.26.0.0/255.255.0.0 use the following commands:

guard add deny 10.26.0.0 255.255.0.0 webMail
apply

Allow method with White lists

The "allow" method consists in authorising the access to Web content defined in white lists only while access to Web content not present in those white lists are forbidden. For instance, to restrict end users located in the subnet 10.26.0.0/255.255.0.0 to access only to "webMail" sites use the following commands:

guard add allow 10.26.0.0 255.255.0.0 mail webMail
apply