Access Control

Lists

March 2003

ACLs 1

Objectives
When you have completed this module
you will be able to do the following:
Recall regular expression syntax rules
Describe ACL building blocks
Set restrictions
Control access and requests

March 2003

ACLs 2

Access Control List (ACL) Overview

Rules for controlling access to the NetCache
NetCache is permissive by default (ACLs off)
Use ACLs to:
Control client requests for access to protocols
Control user and group access to the Internet
Impose restrictions inside the intranet domain

Types

User and Group

Global access control
Request-type access control
SmartFilter and WebWasher modifiers

Access Control List Overview

ACLs are methods for controlling access to the NetCache Appliance by creating sets of
rules, or access control lists (ACLs). NetCache is permissive by default; that is, ACLs are
not enabled and no requests are denied. Access control settings prevent unauthorized
clients from accessing the services of a NetCache Appliance and restrict the access of
authorized clients. Sets of rules, or access control lists (ACLs), are used to control
individual and group access to the Internet, and to impose restrictions inside the intranet
domain.
ACLs govern client requests for access to web content and supported protocols, such as
HTTP, FTP, Gopher, and Tunnel.

Individual and group access

ACLs can be applied explicitly to authorized users, but they are also effective for
administering access control to individuals as part of a group.

March 2003

ACLs 3

Global Access Control

The Global Access Control option allows you to set rules to allow or deny access to web
objects or domains by specifying URLs or servers to which you want to restrict access.
Global access control settings are processed for every request sent to the NetCache
Appliance. NetCache follows Global rules, regardless of any content category restrictions
set in the SmartFilter options.
For example to deny access to a specific URL, use the following entry:
deny url "http://www.objectionable.com"

Request-Type Access Control

The Request-Type Access Control option allows you to set rules that allow or deny
access to particular types of requests, such as FTP. Generally, Request-Type settings are
protocol-specific. NetCache follows Request-Type rules, regardless of any rules
configured in the Global Access Control option and any content category restrictions set
in the SmartFilter options.
For example to deny FTP requests between 9 a.m. and 5 p.m., specify the following
entry:
deny time 9am - 5pm

Smartfilter Modifiers
Allows you to control access toWeb sites, for example, Web sites that contain
objectionable content.

Access Control - WebWasher DynaBLocator

DynaBLocator blocks access to Internet content in prohibited categories. When you
select a category or subcategory, all requests for content in that category or subcategory
are blocked.

Access Control Options

The Access control options settings allow you to specify a NetCache default action when
no rule matches occur.

March 2003

ACLs 4

Access Control Lists

Simple language
Access controls applied to groups
Examples:
Authenticate Internet requests
auth not server-name www.mycorp.com
No gambling during business hours
deny smartfilter gambling and time 9am - 5pm
Only the executive staff can gamble
re-auth smartfilter gambling and not group
execs

ACL building blocks

ACLs contain sets of rules that control client access to intranet and internet services.
These rules, or ACL entries, allow or deny requests based on a number of variables, such
as request headers and client IP addresses. ACLs are associated with specific users,
groups of users, and types of requests, such as HTTP.

March 2003

ACLs 5

Access Control Actions

allow
deny
redirect <url>
rewrite
rewrite-redirect
auth

re-auth
try-auth
proxy
set bitrate
<bitrate-range>
cache
no-cache

ACL Actions
ACL actions determine the type of control implemented.
Refer to Chapter 1, Access Control in the NetCache 5.4 Security Guide for specific
information regarding access control actions.

March 2003

ACLs 6

Action Expression Syntax

allow client-ip 128.126.10.0/24
Allow access to the specified clients

auth FTP
Require authentication for all FTP requests

allow time 9am - 5pm

Allow access between 9am and 5pm

deny FTP
Deny all FTP requests

Action Expression Syntax

ACL

Effect

allow client-ip 128.126.10.0/24

Allows access to everyone on the 12.8.126.10.0

subnet

auth FTP

Requires authentication for all FTP requests

deny server-name matches .*\.net

Denies access to the .net domain

allow time 9am - 5pm

Allows access between 9 a.m. and 5 p.m.

deny FTP

Denies all FTP requests

March 2003

ACLs 7

ACL Rule Checking

1.
2.
3.
4.
5.
6.
7.
8.
9.

Check protocol authentication settings

Check ACL permission settings for the applicable
group in the NetCache user database
Check the request-type (protocol specific) ACL
Check Web accelerator ACL
Check global ACL
Verify whether WebWasher denies the request
Verify whether SmartFilter denies the request
Check group protocol permissions settings
Allow the request

ACL Rule Checking

March 2003

ACLs 8

Controlling Access to Web

Objects
Control access to URLs
block URLs
redirect requests

Control access to the proxy

client IP address
network or subnet address

March 2003

ACLs 9

ACL Syntax
Action

Variable Value

Example:
netcache>allow group finance

March 2003

ACLs 10

Controlling Web Access

deny url http://www.corp.com
Denies access to a specific URL.

deny server-ip 10.10.10.11

Denies access to a specific server

deny server-name matches www.bad.com

Denies access to a specific server

allow group finance and server-name

www.bad.com
Allows requests from the finance group to access bad.com

March 2003

ACLs 11

Controlling Client Access

allow client-ip 192.168.1.4
Allows a specific client access to NetCache services

deny client-ip 128.148.37

Denies a specific client subnet access to NetCache services

deny client-domain corp.com

Denies a specific client domain access to NetCache services

allow time 9am - 5pm

Allows access to NetCache services from 9 a.m. to 5 p.m.

deny group finance

Denies requests to access NetCache services from members of the
finance group

March 2003

ACLs 12

Redirect Rule
Grammar
rule destination source

Example
redirect http://www.mycorp.com/restricted.html
server-ip 128.125.51.1

Effect
When requested to go to server at 128.125.51.1
it will go to www.mycorp.com/restricted.html
instead

Redirecting requests
A redirect action immediately redirects the request back to the client, causing the clients
browser to attempt to fetch the new URL, usually through the cache. You can redirect
NetCache-generated access denied messages to a URL explaining why the access was
denied with instructions about how the user can resolve the problem.

Example:
To redirect requests from server subnet 128.125.51.1 to an internal web page, use the
Access Control Options on the Access Settings page of the NetCache Manager utility to
specify the following rule:
redirect http://www.mycorp.com/restricted.html
server-ip 128.125.51.1
Because redirect causes the client to issue a new request to the cache, a redirection loop
might occur. To avoid a redirection loop, use rewrite or use the Global Access Control
option on the Access Control Settings page of the NetCache Manager utility to explicitly
allow the redirection URL. For example,
allow url http://www.mycorp.com/gambling.html

March 2003

ACLs 13

Rewrite Rule
Grammar
rule destination source

Example
rewrite http://www.safe.com/restrict.html urlprefix http://www.block.com

Effect
Replace the http contents of www.block.com with
the contents of www.safe.com without
maintaining links

Rewriting requests
A rewrite will internally rewrite a URL, causing NetCache to fetch a different object and
return it to the client, if the request is allowed. You can also rewrite requests for restricted
objects to other URLs by creating a pattern-matching expression or rule that represents
the URL to which requests are directed.

Example:
To rewrite requests for block.com to safe.com use the Access Control Options on the
Access Settings page of the NetCache Manager utility to specify the following rule:
rewrite http://www.safe.com/restrict.html url-prefix
http://www.block.com

Optional syntax
Rewrite and redirect rules have the same action expression syntax. Optionally,
the action can be followed by a URL that is the redirection target. The URL must be
included in double quotation marks. For example,
redirect http://mycorp.com/no-gopher.html gopher <action>
URL <expression>

March 2003

ACLs 14

ACL Evaluation Logic

Start

Evaluate

Match?

No

Next Rule

Yes

Auth or
rewrite?

Yes

No

Stop

March 2003

ACLs 15

Request Type ACLs

HTTP
HTTP_Based Tunneling
Web Server Acceleration
FTP
NNTP
Streaming
Global

March 2003

ACLs 16

Req-line acl variable

Uses only the request line in http request as its
value
GET http://web.netapp.com/ HTTP/1.0
Allowed in HTTP acl only
Alternate way to deny specific http methods
Deny req-line contains GET
Deny req-line matches ^POST
Req_headers might give false matches as it
matches the all the headers

March 2003

ACLs 17

Protocol Specific ACL Examples

HTTP
deny url "http://www.gambling.com
HTTP-Based Tunneling ACL

deny url "http://www.games.com"

Web Server Accelerator ACL
deny not accel
FTP ACL
deny ftp
NNTP ACL
deny nntp
Streaming ACL
allow client-ip xxx.xx.xxx.40
where client xxx.xx.xxx.40 requests for streams are allowed.

Protocol Specific ACLs

Rules set using the protocol-specific options on this page (including streaming MMS and
RTSP) are request-type rules. Request-type rules control access to requests of a particular
type, or protocol. Global rule settings, also on this page, impose restrictions on all traffic
but do not take precedence over request-type rules when applied.
Refer to Online Help for specific configuration information.

March 2003

ACLs 18

Example ACLs
allow client-ip 206.79.5.0/24 or client-ip 206.79.6.1
Allow access to the specified client IP addresses

deny server-ip 206.79.5.61

Deny access to the specified server IP address

auth ftp
Require authentication for FTP requests

deny group peons and time 9am - 5pm

Deny access members of the group peons between 9am and 5pm

deny user bob and smartfilter Gambling

Deny any gambling related site requests from bob

deny smartfilter Worthless and time 9am - 5pm

Deny all requests for access to sites catagorized my Smartfilter as worthless
between 9am and 5pm

March 2003

ACLs 19

More Examples
deny url matches badword
Deny access to any URL containing the specified bad word

deny url-prefix ftp://www.mycorp.com/blocked/

Deny aceess to the specified FTP URL

deny ftp
Deny all FTP requests

auth time 9am - 5pm

Require authentication for all requests between 9am and 5pm

deny not ( auth or server-name matches "mycorp.com$")

Allow access to authenticated users or all access to the specified server while
denying access to everyone else

redirect "http://mycorp.com/gambling-policy.html"
smartfilter Gambling
Send all requests for gambling sites to the specified URL

March 2003

ACLs 20

ACL Wizards
New feature and concept in NetCache
Provide methods to easily access sets of ACLs
Each wizard:
Scans full ACL list and returns relevant, simplified output
Takes a list of simplified input and converts this into the
ACL equivalents
If adding
Runs ACL validation on the new ACL input
Appends new ACLs if passed, otherwise returns error
If deleting, attempts to remove specified input

March 2003

ACLs 21

aclwiz
netcache> aclwiz
usage:
aclwiz show {keyword}
aclwiz add {keyword} {value|\\}
aclwiz delete {keyword}
[value|\\]
aclwiz set {keyword} {value|\\}
where {keyword} can be:
filter_exception

aclwiz command
In NetCache 5.4, you can use the aclwiz command as a simple way to set ACLs by using
the filter-exception template. This template enables you to allow specific URLs in a
WebWasher DynaBLocator or SmartFilter category that you have blocked. This
command takes two forms of input: HTTP URLs, for example, http://www.netapp.com
and any phrase used in a regex URL search.

Refer to the NetCache 5.4 Command Line Reference for additional information.

March 2003

ACLs 22

Exceptions to HTTP Filtering

using an
Access Control List Wizard

HTTP Filtering using ACL Wizard

March 2003

ACLs 23

Exceptions to HTTP Content

Filtering
Objective:
Customer desires an easy way to poke holes into our 3rd
party HTTP content filtering libraries
For instance, the Investment category may be blocked, but
administration wants to allow access to 401k websites

Solution:
NetCache has objective functionality within the ACL
infrastructure
Unfortunately, ACL manipulations are often complicated, and
a single change may have adverse effects
Additionally, customers may have low level administrators
who dont, and shouldnt, have the ability to modify ACL lists
directly
Therefore, ACL wizard functionality has been added to
allow simple, directed access to our ACL infrastructure

March 2003

ACLs 24

Translations and Heuristics

of the HTTP Content Filtering ACL Wizard
Takes two forms of input:
1. HTTP URLs, eg http://www.netapp.com
2. Any phrase, used in a regex url search

Converts input into ACLs:

1. allow url http//www.netapp.com
2. allow url contains any-phrase

Always appends to end of ACL list

March 2003

ACLs 25

Setup Access Control SmartFilter General

March 2003

ACLs 26

Setup > Access Control > WebWasher > Categories

March 2003

ACLs 27

ACL Exercises
Practice using ACL syntax
Control Access to a Specific URL
Learn about ACL Precedence

March 2003

ACLs 28

ACL Exercises

30 minutes in length
Use breakout rooms
Instructor will visit all rooms
Broadcast announcement 5 minutes
prior to regroup
Stay focussed, start telnet, start GUI
Share microphones, or no one else can
be heard

March 2003

ACLs 29

Access Control Lists Exercises

Objectives
When you have completed this module you will be able to control client access to the
NetCache.

Exercise Overview
The purpose of this activity is for you to perform the procedures to provide experience in
using NetCache access control lists.. During these exercises, you will be guided through
each step in the process, and will have an opportunity to verify that each step was
successfully completed.

Time Estimate: 15 minutes

Required Hardware, Software, and Tools
Hardware

Workstation

NetCache appliance

Software

NetCache 5.4

Netscape Navigator 4.7

Internet Explorer 5.5 or later

March 2003

ACLs 30

ACL syntax
Describe the effect each of the following ACLs will have. Use your assigned NetCache
appliance to test your answers.
1.

2.

deny url matches badword

What is the difference between the following two ACLs?

>deny url matches http://www.mycorp.com
>deny url http://www.mycorp.com

3.

4.

5.

6.

deny url-prefix ftp://www.mycorp.com/blocked/

deny ftp

auth time 9am - 5pm

redirect "http://mycorp.com/gambling-policy.html" smartfilter Gambling

March 2003

ACLs 31

for each of the following situations:

1.

2.

3.

Require authentication for all members of the Finance group.

Deny access to CNN during working hours (9 am to 5 pm).

Do not require authentication for access to www.netapp.com.

Control Access to a Specific URL

Configure the NetCache access control using the options on the Access Control page in
the NetCache Manager utility.
From the NetCache Manager select Setup > Access Controls > Access
1.
Control Lists.
2.
3.

Select ACL Enable.

Scroll to the HTTP ACL section and enter the following:
deny url http://www.netapp.com

4.
5.

Commit changes.
Open a new browser window and try to access
http://www.whitehouse.gov
What happened?

6.

From the NetCache Manager, go to Setup>Access Control>Access Control

List.

7.

Create an HTTP ACL to redirect requests for www.yahoo.com to

www.hotmail.com.

March 2003

ACLs 32

www.hotmail.com.
netcache>redirect http://www.hotmail.com url
http://www.yahoo.com

8.

From a browser client, go to http://www.hotmail.com. and go to

http://www.yahoo.com
What happened?

9.

Go back to the NetCache Manager and change the redirect to rewrite and
repeat.

10.

From a browser client, go to http://www.hotmail.com. and go to

http://www.yahoo.com

11.

What is the difference between the redirect and rewrite rules?

March 2003

ACLs 33

ACL Precedence Exercise

Configure the NetCache access control using the options on the Access Control page in
the NetCache Manager utility.
Use a different browser and configure it to proxy through this NetCache and
1.
verify that you cannot access the URL.
2.
3.
4.

From the NetCache Manager select Setup > Access Controls > Access
Control Lists.
Select ACL Enable.
Scroll to Global ACL and enter:
deny url matches http://www.hotmail.com

5.
6.

Commit changes.
Test your ACL and access www.hotmail.com
What happened?

7.

Scroll to the HTTP ACL section and enter the following:

allow url matches http://www.hotmail.com

8.
9.

Commit changes.
Return to the browser and attempt to access www.hotmail.com
What happened? Why?

10.

Try some combinations of your own and observe the effect of ACL
precedence.

11.

To prevent conflicts with later labs, restore the saved configuration for you
NetCache.

March 2003

ACLs 34

March 2003

ACLs 35