[c-nsp] Firewall Dilema

Tue Oct 18 23:53:17 EDT 2005

There are also the Cisco Content Engines that have Websense for URL
filtering and proxy functionality.

On 10/18/05 2:47 PM, "Jim McBurnett" <jim at tgasolutions.com> wrote:

> Paul,
> This can be done through the port misuse and http-map commands
> http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_r
> eference_chapter09186a008045277f.html#wp1544054
> 
> http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_r
> eference_chapter09186a008045277d.html#wp1567977
> 
> Let me if this helps..
> 
> Jim
> 
>  
> 
> -----Original Message-----
> From: Paul Stewart [mailto:pstewart at nexicomgroup.net]
> Sent: Tuesday, October 18, 2005 1:56 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Firewall Dilema
> 
> Hi there...
> 
> I have been asked in the past couple of months to evaluate firewall's
> for both our internal network needs and also for client needs.  Since we
> are a Cisco powered shop, it made sense to use a Cisco PIX 515E.
> 
> The PIX has been in place for about 1 1/2 years and works great for our
> intial needs (remote access VPN for a few users, firewalling etc.).
> 
> Now, we're looking at adopting new policies for our own internal network
> to do application firewalling to stop such things as MSN Messenger.
> Upgraded our PIX to latest 7.x code and was unable to block MSN
> successfully (aside from denying remote IP addresses galore).   Because
> MSN will default to tunnelling via http, blocking ports is not a valid
> option.  Tried application inspection in PIX 7.x and no luck....
> 
> Fired up a spare 3640 and tried to do the same thing in IOS using CBAC
> and the new application inspection it supports.  No luck here neither.
> The only way in IOS I could find was to block all ports that MSN would
> use and force it to http... At which point I could turn on strict-http
> checking within the application firewall portion of CBAC.  But then, we
> couldn't reach a number of sites because they are not 100% http
> compliant for whatever reason (one of them is our web based ticketing
> system)...
> 
> Have opened a few tickets at Cisco TAC on the PIX and IOS related issues
> of blocking MSN messenger only to find the best solution (according to
> TAC) is to run Websense or even Squid via WCCP.  The built-in support
> for IM applications is only for Yahoo Messenger this point which is
> quite dissappointing.
> 
> Applications such as Gnuntella/Napster etc. are easily blocked by NBAR
> in IOS so peer to peer doesn't appear to be a problem on either the PIX
> or IOS/FW.... Which was another item we wished to look at....
> 
> I asked this list a month or so ago about recommendations on firewalls
> and a number of kind people replied with the PIX as a suggestion, but it
> appears that it will not do what our specific requirements are.  Even
> went so far as to open a ticket at Cisco regarding the ASA series of new
> firewalls (figuring that the AIP-10 or AIP-20 would block applications
> be design) but was told because it's PIX based it wouldn't work if the
> PIX didn't....
> 
> Can anyone shed some light on this?  I'm frustrated over something that
> in my opinion should be relatively easy to do.  I've talked to Juniper
> and Watchguard and they both claim to have a "click *here* in the GUI
> and it's blocked" solution.... Which after all this time is kind of an
> appealing option and one that I may pursue but hoping that I've missed
> the obvious with my Cisco endeavours....
> 
> Thanks in advance,
> 
> Paul Stewart
> IP Routing/Switching
> Nexicom Inc.
> http://www.nexicom.net
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/