Web: Example for Configuring Data Filtering
This section provides an example for configuring data filtering on the enterprise gateway to prevent confidential information leaks and transmission of illegal information.
Networking Requirements
As shown in Figure 1, an enterprise deploys the FW as the security gateway at the network border. Employees in both the R&D and finance departments reside in the trust zone. Intranet servers are deployed in the dmz. Internet users reside in the untrust zone.
The enterprise requires that employees can access networks properly, confidential information must be prevented from leaks, and illegal information must be prevented from transmission within the enterprise.
Data Planning
Users in this example are already added to the FW and the authentication configuration is complete.
Item |
Data |
Description |
|---|---|---|
Security policy for R&D personnel |
|
Security policy policy_sec_research allows R&D personnel to access the Internet. Data filtering profile profile_data_research is referenced to filter files to be uploaded to the Internet, mails to be sent to the Internet, messages to be posted on forums and microblogs, requested web pages, and searched content of the R&D personnel. |
Security policy for finance personnel |
|
Security policy policy_sec_finance allows finance personnel to access the Internet. Data filtering profile profile_sec_finance is referenced to filter files uploaded to the Internet, mails sent to the Internet, messages posted on forums and microblogs, browsed web pages, and searched content of the finance personnel. |
Security policy for Internet users |
|
Security policy policy_sec_internet allows Internet users to access intranet servers. Data filtering profile profile_sec_internet is referenced to filter files downloaded from and uploaded to intranet servers. |
Data filtering profile for R&D personnel |
Name: profile_data_research |
Data filtering profile profile_data_research must be referenced in security policy policy_sec_research. |
|
Rule rule1 blocks the content containing keyword group keyword1 from being uploaded and searched. |
|
|
Rule rule2 blocks the web pages containing keyword group keyword3. |
|
Data filtering profile for finance personnel |
Name: profile_data_finance |
Data filtering profile profile_data_finance must be referenced in security policy policy_sec_finance. |
|
Rule rule1 blocks the content containing keyword group keyword2 from being uploaded and searched. |
|
|
Rule rule2 blocks the web pages containing keyword group keyword3. |
|
Data filtering profile for Internet users |
Name: profile_data_internet |
Data filtering profile profile_data_internet must be referenced in security policy policy_sec_internet. |
|
Rule rule1 blocks the content containing keyword group keyword2 from being downloaded. |
|
|
Rule rule2 blocks the content containing keyword group keyword3 from being uploaded. |
|
keyword1 |
Predefined keyword: confidentiality (the weight is set to 1) |
- |
User-defined keyword: |
You can define the keywords based on the actual condition. The following uses "enterprise confidentiality" as an example. "Illegal information" includes keywords of illegal information defined by your enterprise, and may contain pornographic, violent, and politically sensitive content. You can define the keywords based on the actual condition. The following uses "illegal information" as an example. |
|
keyword2 |
Predefined keywords (the weight is set to 1): bank card numbers, credit card numbers, social security numbers, ID card numbers, and confidentiality keywords. |
- |
User-defined keyword: |
You can define the keywords based on the actual condition. The following uses "enterprise confidentiality" as an example. "Illegal information" includes keywords of illegal information defined by your enterprise, and may contain pornographic, violent, and politically sensitive content. You can define the keywords based on the actual condition. The following uses "illegal information" as an example. |
|
keyword3 |
User-defined keyword: Illegal information
|
- |
Configuration Roadmap
- Specify IP addresses and security zones for interfaces to complete basic parameter settings.
- Create keyword groups keyword1, keyword2, and keyword3 to be referenced in data filtering profiles in the follow-up procedures.
- Create data filtering profiles for R&D personnel, finance personnel, and Internet users. Reference the keyword groups when you create data filtering profiles.
- Configure security policies for R&D personnel, finance personnel, and Internet users. Ensure that the network is reachable and reference the data filtering profiles.
Procedure
- Specify IP addresses and security zones for interfaces
to complete basic parameter settings.
- Click
for GE0/0/1 to set parameters
as follows:
Zone
untrust
IPv4
IP Address
1.1.1.1/24
- Click
- Create a keyword group.
- Choose .
- Repeat the preceding steps to set parameters of keyword2 as follows:
- Repeat the preceding steps to set parameters of keyword3 as follows:
- Choose .
- Create data filtering profiles.
- Choose .
- Click Add, set parameters of
data filtering profile profile_data_research as follows for
R&D personnel.
- Click Add, set parameters of
data filtering profile profile_data_finance as follows for
finance personnel.
- Click Add, set parameters of
data filtering profile profile_data_internet as follows for
Internet users.
- Choose .
- Configure security policies and reference data filtering
profiles in the security policies.
- Click Commit on the upper right of the web page to commit the security profile.
Verification
- When R&D personnel on an intranet attempt to send content containing confidential enterprise information to the Internet or browse or search for content containing illegal information, the device blocks the content.
- When finance personnel on an intranet attempt to send content containing confidential enterprise or employee information to the Internet or browse or search for content containing illegal information, the device blocks the content.
- When Internet users attempt to download files containing confidential enterprise or employee information from intranet servers, the download fails. When Internet users attempt to upload files containing illegal information to intranet servers, the upload fails.
- You can choose to view logs on data filtering.
Configuration Scripts
# sysname FW # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone dmz add interface GigabitEthernet0/0/2 # firewall zone untrust add interface GigabitEthernet0/0/1 # keyword-group name keyword1 pre-defined-keyword name confidentiality weight 1 user-defined-keyword name "Enterprise confidentiality" expression match-mode text "Enterprise confidentiality" weight 1 user-defined-keyword name "Illegal information" expression match-mode text "Illegal information" weight 1 keyword-group name keyword2 pre-defined-keyword name bank-card-number weight 1 pre-defined-keyword name credit-card-number weight 1 pre-defined-keyword name social-security-number weight 1 pre-defined-keyword name id-card-number weight 1 pre-defined-keyword name confidentiality weight 1 user-defined-keyword name "Enterprise confidentiality" expression match-mode text "Enterprise confidentiality" weight 1 user-defined-keyword name "Illegal information" expression match-mode text "Illegal information" weight 1 keyword-group name keyword3 user-defined-keyword name "Illegal information" expression match-mode text "Illegal information" weight 1 profile type data-filter name profile_data_research rule name rule1 keyword-group name keyword1 file-type all application all direction upload action block rule name rule2 keyword-group name keyword3 file-type name TEXT/HTML application type HTTP direction download action block profile type data-filter name profile_data_finance rule name rule1 keyword-group name keyword2 file-type all application all direction upload action block rule name rule2 keyword-group name keyword3 file-type name TEXT/HTML application type HTTP direction download action block profile type data-filter name profile_data_internet rule name rule1 keyword-group name keyword2 file-type all application all direction download action block rule name rule2 keyword-group name keyword3 file-type all application all direction upload action block # security-policy rule name policy_sec_research description Allow R&D personnel to access the Internet. source-zone trust destination-zone untrust user user-group /default/research profile data-filter profile_data_research action permit rule name policy_sec_finance description Allow finance personnel to access the Internet. source-zone trust destination-zone untrust user user-group /default/finance profile data-filter profile_data_finance action permit rule name policy_sec_internet description Allow Internet users to access intranet servers. source-zone untrust destination-zone dmz destination-address 10.2.0.0 24 profile data-filter profile_data_internet action permit