Sidestepping inline URL content filters – Update
A while ago, I bemoaned the ease with which Cisco’s inline URL filtering can be bypassed. There were two main gripes:
- Only HTTP GETs were processed – POSTs etc were not inspected
- You have to manually nominate the ports that the inspection will take place on (although this point can be mitigated with egress filtering)
I have since discovered a third bypass, whereby HTTPS traffic is not inspected at all, even if you manually alter the port-map settings so that port 443 is listed as plain HTTP.
I’m pleased to report that I’ve successfully raised a product enhancement request to remedy some of this (big thanks to Herbert at Cisco TAC for getting the ball rolling here!) – the inspection of POSTs and of HTTPS is on the development roadmap for a future version of IOS.
Timescales? I have no idea. Best estimate is a one-year timeframe, but better late than never!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk