Cisco Cisco ScanSafe Wi-Fi Hotspot Security White Paper
Cisco CWS
– Standalone Deployment Guide
7
Test
Deploy
Prepare
Function FindProxyForURL
(
url, host
) {
Var hostIP=DNSResolve
(
host
);
// If the requested website is hosted within the internal network
If
(isPlainHostName
(
host
)
||
//
shEXPMatch(host, “*.local”) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
) ||
isInNet
(
hostIP, “10.0.0.0”, “255.0.0.0”
))
return
“DIRECT”;
// If the hostname matches, send direct.
If (
DNSDomainIs(host, “vpn.dmain.com”
) ||
DNSDomainIs(host, “extranet.domain.com
”) ||
DNSDomainIs(host, “abcdomain.com
))
return
“DIRECT”;
// If the URL or protocol matches, send direct,
If (
shExpMatch(url, “*.domainabc.com
*”) ||
shExpMatch(url, “*.domainXYZ.com:*/*”
)
||
url.substring
(
0, 4
)
==”ftp:”
)
return
“DIRECT”;
// If the IP address of the local machine is withing a defined
// subnet, send to a specific proxy.
// if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
// subnet, send to a specific proxy.
// if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return
“PROXY 1.2.3.4:8080”;
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return
“PROXY 1.2.3.4:8080; PROXY 5.6.7.8:8080”;
Just below that, there is another variable, hostIP. This one is defined in the PAC file and not by the
browser. The function dnsResolve
(
host
)
is taking the host variable and attempting to resolve it using
DNS. The result of the DNS lookup is recorded in the variable hostIP. Notice the variable is used
several times by functions in the script.
several times by functions in the script.
Next, is the first
If
statement. Notice the open parenthesis and accompanying closed parenthesis. All the
code contained within is to be evaluated for this
If
statement. Should the code produce a True result, then
the line immediately following the
If
statement will execute, returning a direct command to the tower. A
direct command will tell the browser to perform the web request directly from the client rather than a
tower.
tower.
The first function in the
If
statement, isPlainHostName(host), is evaluating if the host variable
contains only a host name with no DNS information. If it does contain a host name with no DNS
information, then it will return True. The function is followed by a set of double pipes (||). This means that
it will additionally evaluate the next function regardless of the result. When functions are chained together
with OR statements, only one of them needs to return True for the entire
information, then it will return True. The function is followed by a set of double pipes (||). This means that
it will additionally evaluate the next function regardless of the result. When functions are chained together
with OR statements, only one of them needs to return True for the entire
If
statement to be true.
Therefore, all functions in the
If
statement need to return false for the
If
statement to be false.
The first
shEXPMatch(host, “*.local”)
evaluates the host variable against a wild card *.local.
Notice that it has been commented out. The only reason you should activate and configure this line of
code is if you use non RFC 1918 IP addresses inside your LAN and have configured a connection
code is if you use non RFC 1918 IP addresses inside your LAN and have configured a connection