8e6 Filter Operation Overview
The "by-pass" deployment architecture of 8e6 filter appliance insures all web, IM, and P2P traffic is captured, logged, and checked against policy.
In the event 8e6 filter policy is violated, the 8e6 R3000 filter does two primary things:
- Issue HTTP_client_redirect to workstation that redirects browser client to specified block page (hosted on R3000 or elsewhere). HTTP status code #302 -- see reference section below.
- Issue TCP resets to web server and workstation to terminate initial browser request (ie. the request that violated policy).
8e6 Block Page Delivery
The 8e6 R3000 filter provides two methods for delivery of block page HTTP_Client_Redirect to workstation browser:
- via ARP lookup. R3000 has last packet issued from workstation (via sense interface). R3000 knows the workstation IP address from traffic collection. In order to deliver HTTP_client_redirect to workstation, R3000 does ARP lookup to get MAC address of workstation and delivers directly.
- via specific MAC address. R3000 has last packet issued from workstation (via sense interface). R3000 knows the workstation IP address from traffic collection. The R3000 delivers the HTTP_client_redirect packet -- addressed to workstation IP address -- to MAC address listed in R300 config (by default the MAC address of gateway for R3000 network config). It's then up to network gateway to route HTTP_client_redirect packet back to workstation.
In both cases, the R3000 constructs the HTTP_client_redirect packets so as to appear to come from original requested web server (eg. http://www.playboy.com/). Thus, the workstation receives packet(s) with HTTP_client_redirect that appear to come from requested web server -- that instructs workstation browser to load block page hosted on R3000 web service.
8e6 Block Operation Packet Detail:
See screenshot below for packet capture of browser attempt to "http://playboy.com" using wireshark. The packet capture file is attached at bottom of topic.
-
Line 3 is browser GET issued by workstation/client -- note packet details in bottom pane (ie. playboy.com).
-
Line 4 is HTTP_client_redirect issued to client workstation by 8e6 R3000 filter. The 8e6 box spoofs the IP of requested web server. The source MAC address is that of 8e6 R3000 appliance.
-
Line 7 is TCP_Reset issued by 8e6 R3000 filter -- issued to web server (spoofing IP of client workstation).
-
Line 8,9 is TCP_Reset issued by 8e6 R3000 filter -- issued to client workstation (spoofing IP of requested web server).
Packet Capture Setup
The lab environment used to capture data detailed above mirrors a "typical" setup 8e6 R3000 appliance deployment:
- Perimeter
firewall doing hide-NAT
- Firewall
connected to managed switch. The traffic passing through physical firewall
switch port is mirrored to port for data collection. The 8e6 "best practice" is that switch port monitor setup only include TX-side of port communication.
- All network
traffic passes through managed switch, including traffic for 8e6 management and 8e6
blocks (ie. HTTP_client_redirect).
- For purposes
of data collection, the switch mirror port is physically connected to
HUB -- which in turn has 8e6 sense and laptop connected (running
wireshark for data collection). The laptop SNIFFER and 8e6 sense interface are
seeing exact same traffic passing to firewall.
References
The HTTP response code #302 -- HTTP_client_redirect -- is mechanism used to redirect workstation browser client to "block page" (hosted by 8e6 appliance or elsewhere). More information on HTTP status codes can be found at following: HTTP Redirection Response Codes
