What is URL Filtering

What is URL filtering and how it works?

URL filtering is a cybersecurity measure used to control and monitor the websites that users can access through a network. It involves blocking or allowing access to specific URLs (Uniform Resource Locators), domain names, or web content based on predefined policies or criteria. URL filtering is commonly implemented in corporate networks, educational institutions, and public Wi-Fi hotspots to enforce acceptable use policies, prevent access to malicious or inappropriate websites, and enhance network security.

Here's how URL filtering typically works:

1. **URL Database**: URL filtering systems maintain a database of categorized URLs and domain names. These databases are often continuously updated to keep up with changes on the web and to include new URLs or classify existing ones accurately.

2. **Policy Configuration**: Administrators configure URL filtering policies based on organizational requirements, regulatory compliance, and security objectives. These policies define the criteria for blocking or allowing access to specific categories of websites or individual URLs.

3. **User Requests**: When a user attempts to access a website or a specific URL, their web browser sends an HTTP request to the network's proxy server or firewall.

4. **URL Filtering Check**: The proxy server or firewall intercepts the user's HTTP request and performs a URL filtering check. It compares the requested URL or domain name against the predefined filtering policies.

5. **Policy Enforcement**: Based on the URL filtering policies, the proxy server or firewall decides whether to allow or block access to the requested website or URL. If the URL is allowed according to the policies, the request is forwarded to the destination server, and the user can access the website. If the URL is blocked, the proxy server or firewall returns a block page or an error message to the user, indicating that access to the website is prohibited.

6. **Logging and Reporting**: URL filtering systems often include logging and reporting capabilities to track users' web browsing activities, identify policy violations, and generate reports for compliance purposes or security analysis. Administrators can review logs and reports to monitor network usage trends, assess the effectiveness of URL filtering policies, and investigate security incidents.

Overall, URL filtering helps organizations control internet access, mitigate security risks, and maintain productivity by preventing users from accessing malicious, inappropriate, or non-business-related websites.

URL filtering is a feature which is implemented on networking components like routers, firewalls, Web filtering devices. This feature allows the user to specify a URL on the component. Once the URL is configured, the users which are behind these devices would not be able to access the specified URL. The following outlines the internal design of the functionality of URL filtering and the actual communication with wireshark.

PC —————> Router (URL feature)

In the above schema, a PC is behind a router which has the URL feature. In the URL list, the website www.networkinterfaze.com is provided. The following are the sequence of events which would happen when the user types the URL www.networkinterfaze.com in the browser.

1. The PC would initiate a TCP 3-way handshake to the IP address of Network Interface. The IP address of the website www.networkinterfaze.com is resolved using DNS.

2. After a successful 3 way handshake, HTTP protocol would initiate the GET method to retrieve the required files for displaying the website from the PC to the server. (Packets 82, 86 and 87 shows the TCP 3-way handshake)

3. The hostname is a field Inside the GET method, the hostname is  - www.networkinterfaze.com in this case. The router would check this information inside the HTTP header and when it observes the URL, the packet would be dropped. (Packet 88 – Check the details in the wireshark details view the hostname )

4. The TCP/IP stack of the PC which has not yet received a response and also unaware of the presence of a URL filtering device,  would resend the HTTP GET message repeatedly until TCP times out. Every time, the HTTP GET message would be dropped by the router

(Packets 91-93)

URL filtering works at the application layer. This is because it works only after the TCP 3 way handshake is completed and HTTP starts sending data ( HTTP GET)