Complex policies for restricting users going to Internet

Discussion in 'Cisco' started by jmarkotic, Jan 7, 2004.

  1. jmarkotic

    jmarkotic Guest

    Hi,
    I'm looking for a way to set up policies for users defined on some directory
    service (Active directory or native LDAP like SunONE ...) when going out to
    Internet.
    The idea is to use one database of users (i.e. AD) and Single Sign On is
    used. After authenticationg to a domain/AD, user get permissions and other
    parameters that define him (internet resources he can reach, bandwidth
    parameters etc).
    I would like to have capability to permit/deny specific Internet resources
    (pornography, gambling etc) during business hours, after but with respect to
    u user/group of users.
    Since Websense seems to be popular I'm considering websense as a part of big
    puzzle.
    In some marketing papers from Websense I see that it supports integration
    with AD. I was wondering how does that work with PIX. I want only users
    authenticated on AD to be able to reach Internet. PIX doesn't know concept
    of users defined somewhere.
    As far as I have seen, PIX only take http/ftp url from user's connection,
    pass it to websense and receivey permit/deny response for that url. How
    should it differentiate if user is authenticated. Is that a role of Websense
    ? Do I need to use proxy softver (like MS ISA) for integration with Websense
    to use such per-user/group policies ?
    I want to use different policies for users that are authenticated. For
    example oridnary users can browse only what's necessary for their work,
    power users to be able to browse everything etc.

    Also, I would like to be able to limit bandwidth to some group of users.
    Again, according to users on AD, not ip addresses of users (dhcp is used, so
    it's hard to make decision by ip address).
    Since, most of the Internet traffic is from Internet (and not to the
    Internet), I'm not sure which QoS traffic policies I can put to be efficient
    on routers/switches. It seems that it would help to use proxy as a central
    point thru everyone passes. It seems that then I could set up such policies.
    I've seen that squid proxy has concept of pools for different group of
    users.
    Any comments/ideas ?
    Is there a way I can use 802.1x mechanism to defines some acls, traffic rate
    parameters on switch when user authenticates to the network ?

    I'm looking for some common sense scenarios for controlling users when going
    to Internet and spending link resources.

    thanks,
    jura
     
    jmarkotic, Jan 7, 2004
    #1
    1. Advertisements

  2. Jura,

    As far as I am aware (and I'm a certified Websense Engineer on 5.1) the PIX
    passes the Username (or IP address depending on what authentication can be
    achieved) to the Websense server looking for a yes/no to each URL (a single
    page may have ten unique URL's in it e.g Grapphics etc).

    The Websense server determines the user/group/ipsubnet/etc and the active
    enforcement policy (porn/news/religon) and the day of week/time/etc and
    returns the yes/no based on the configuration.

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/
     
    scott enwright, Jan 8, 2004
    #2
    1. Advertisements

  3. jmarkotic

    jmarkotic Guest

    Since PIX supports only XAUTH then I should set up a Radius/Tacacs that is
    configured to do name/password resolution on Active Directory. And as I have
    read there is a problem when one have more that one domain in network since
    pix forward only username to a websense and not domain\username.
    I have never done it but I assume if I set XAUTH on proxy via Radius, on
    first connection user would be presented with dialog box for
    username/password and after supplying one, pix would send pair username/url
    to a websense.
    But I also have Cisco Cache Engine and it's supposed to have support for
    NTLM authentication. CacheEngine also supports Websense so I assume
    CacheEngine would authenticate users transparently (if they are logged to
    domain/AD) and would send username/url to a websense immediately.
    Am I rigth ?
    What about some native Websense support for AD ? There are some DC agents
    that are installed on all clients and websense then can natively
    authenticate users without cache engine/pix doing any authentication ?
    Is Websense ever doing query to a Domain/AD server or websense only decide
    according to a username/url (and authenticating user is someone else's job
    like proxy, pix etc).

    thanks,
    j
     
    jmarkotic, Jan 8, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.