NCOS: CP Secure Web Filter - Enabling & Configuring Functionality
Products Supported: IBR9x0. and all AER series routers, Click here to identify your router.
NCOS Version: 6.4.2 - for information on upgrading NCOS Versions, click here.
This document will explain enabling and configuring Cradlepoint Secure Web Filter, as well as the service's behavior when uncategorized or unknown websites are encountered, and default behavior upon Web filter engine failure.
Cradlepoint Secure Web Filter differs from other cloud-based security in that configuration is integrated into the router GUI (instead of on a separate website).
Enabling the Cradlepoint Secure Web Filter feature requires NCM Enterprise. To learn more about NCM Enterprise, including setting up a demo, please visit Network Management & Applications.
- IMPORTANT: Cradlepoint Secure Web Filtering requires a feature license or NCM-Enterprise to use. Please contact your sales representative for pricing information.
- Log into your CradlePoint router by opening a Web browser and navigating to http://x.x.x.x. (default LAN is http://192.168.0.1)
- Navigate to NETWORKING > DNS Servers. Under "DNS Settings", check the box labeled "Force All DNS Requests to Router". This is how the Cradlepoint runs client DNS traffic through the filter.
- Then, navigate to SECURITY > Cloud-based security> Cloud Provider>CP Secure Web FIlter
- Once Cradlepoint Secure Web Filter is selected, additional features will be shown for configuration.
- Note: The CP Secure Web Filter menu option will be visible, but the service will not function until after the license has been installed.
Understanding the settings
This setting allows a network administrator to define the Default Action of all Web Filter Policies.
- Block Traffic: Blocks all Internet traffic in the event of a Web filter engine failure and blocks any site that isn’t explicitly allowed. A Default Action set to “Block Traffic” can be thought of as a whitelist where only allowed or whitelisted Internet sites are allowed.
- Allow Traffic: Allows all Internet traffic to flow unfiltered if a failure of the Web filter engine occurs. A Default Action set to “Allow Traffic” can be thought of as a blacklist where all Internet sites are allowed except for Categories explicitly defined as Blocked.
There are 5 pre-defined Profiles:
- CIPA Compliant: Intended for use in K-12 schools and is compliant the with Children's Internet Protection Act.
- Offensive: Intended for use in a Guest Wi-Fi applications and blocks offensive and obscene Internet sites.
- Personal Use: This profile consists of Websites that are non-workplace related.
- Security Risks: This profile consists of site known to pose security risks.
- Heavy Bandwidth: This profile consists of sites that are known to consume excessive data / bandwidth.
The CP Secure Web Filter Internet crawlers retrieve the web content from the remote web server and then pass through 83 individual classifier engines, one for each of our defined categories. Each classifier returns a confidence score reflecting whether or not the content in the web page is indicative of that category. We discard any results with a confidence score of less than 70. For those greater than 70, up to five categories with the highest confidence scores are published. Only if all 83 classifiers return scores less than 80 the URL be considered “Unclassified”, which means it did not sufficiently match any of the defined categories. Such URLs will still have a computed reputation score though which is based on many more factors other than content. There are the 7 possible reasons for an Uncategorized URL:1. Invalid URL – malformed.2. Invalid URL – does not contain a valid global Top Level Domain (ex: .com, .net, .gov, .info, .cc (2 char country code), etc.)3. Invalid URL – Syntactically correct, but domain is not registered in DNS, therefore it cannot be translated to a valid Internet address and subsequently crawled and classified.4. Valid URL – Syntactically correct, valid domain and DNS record, but there is no HTTP server found responding to the URL. Will eventually be categorized as a Dead Site.5. Valid URL – URLs that use IP addresses instead of domain names, therefore no domain/DNS required, but there is no HTTP server found responding to the URL. (Note. May include path as well as IP address).6. Valid URL – Crawled, but content does not match any of our 82+ categories7. Valid URL – Not yet seen by the Web crawlers. Lookup will automatically queue the URL to be crawled as soon as possible.Web Filter Policies
- This setting allows a network administrator to define how the Web Filter handles Uncategorized Traffic on all Web Filter Policies.
- If set to Block, any Unknown Internet site or any Internet site that is unable to be Categorized will be blocked on the defined network.
- If set to Allow, all Unknown and Uncategorized Internet sites will be allowed on the defined network.
- This setting allows a network administrator to define the Threat Tolerance of all Web Filter Policies.
- Threat Tolerance is based on an Internet site’s reputation with the following scale:
- 0 = Highest Threat Score
- 100 = Lowest Threat Score
- The default setting for Threat Tolerance is 80. In this scenario, only Internet sites that have a reputation higher that 80 will be allowed and any site with a lower reputation will be blocked.
- This setting will allow a network administrator to manually input or upload a CSV defining a list of hosts to be leveraged by the Web Filter engine.
- Do not include anything but the host as seen in a generic URL. User, password, port, path, and/or query are not supported.
- The CSV file should contain hosts in the following format:
host1,host2,host3, ..., hostn
Any other format will not be recognized.
Published Date: 10/24/2017
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.