[c-nsp] PIX Question

Sun Mar 6 20:07:13 EST 2005

Hi Paul,

That really doesn't look too difficult actually...

That could easily be done with a router doing CBAC and using the
port-map command to identify the extra ports (10000, 8443) as extra http
ports.

You could also try playing with the fixup protocol <protocol> <port
number> command on the pix for the extra http ports.  Don't forget no
fixup protocol <protocol> for all the traffic you don't want to be
inspected/fixed.

Use an outbound ACL to permit what you like and deny all the rest.

Just make sure I never work at this site (if I move to the States)
because I would hate a network policy like that ;)

Cheers,
Matt

-- 
Matt Hill
DPS - Internet Engineering
Alcatel Australia Pty Ltd
180-188 Burnley St
Richmond, Vic, AU 3121
e: matt.hill at aapt.com.au
v: +61 3 8687 5739
f: +61 3 8414 3115
m: ask and you may receive

-----Original Message-----
From: Paul Stewart [mailto:pauls at nexicom.net] 
Sent: Monday, 7 March 2005 11:53 AM
To: Matt Hill
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX Question

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Matt for the detailed response...

The Websense I have played with at a client site before... worked pretty
good I must admit...

My main goal with this other project is to basically deny all, permit
little..:)

Does Cisco make (or third party if we had to) a box of some type that
perhaps sits "on the wire" right before our traffic hits the PIX and
will block everything except what we wish to travel through?

Basically, I think we *only* want to permit the following:

telnet/ssh
http (80, 10000, 8443)
smtp
pop3
https

The client wants to definately block ALL peer to peer, messaging,
streaming audio etc...

I think that's about it... *any* ideas on this would be great.. my only
reason for leaning towards Cisco is because all our switches, routers
and firewalls are Cisco currently....

Thanks in advance,

Paul

Matt Hill wrote:
| Hi Paul,
|
| You can use a Websense or N2H2 server inline with your PIX to filter
| traffic to certain websites based on category.  I have only had
| experience with a Websense box though...
|
| Bear in mind the Websense wont filter ALL traffic to sites, just
| http(s).  The Websense will prevent users from downloading clients, as
| the http to those sites will be blocked.
|
| As for the IM traffic itself, try experimenting with this:
|
| AOL IM
| login.oscar.aol.com
| Default Port: 5190
| 64.12.161.153
| 64.12.161.185
| 64.12.200.89
| 205.188.179.233
|
| ICQ
| login.icq.com
| Default Port: 5190
| 64.12.162.153
| 64.12.162.185
| 64.12.200.89
| 205.188.179.233
|
| MSN Messenger
| 207.46.104.20 gateway.messenger.hotmail.com
| 64.4.13.171 http1.msgr.hotmail.com
| .. .. .. ..
| .. .. .. ..
| 64.4.13.190 http20.msgr.hotmail.com
| .. .. .. ..
|
| Yahoo
| cs.yahoo.com
| Default Port: 5050
| 216.136.175.145
| 216.136.224.213
| 216.136.224.214
| 216.136.225.11
| 216.136.225.12
| 216.136.225.35
| 216.136.225.36
| 216.136.225.83
| 216.136.225.84
| 216.136.226.117
| 216.136.226.118
| 216.136.131.93
| 216.136.175.142
| 216.136.175.143
| 216.136.175.144
| 216.136.233.128 (latest)
|
| Bear in mind that these guys change their IPs/Servers etc reasonably
| often, so you may need to see how things go.  ICQ and AIM use the same
| protocols, and some clients can even co-habitat contacts.
|
| Good luck!
|
| Cheers,
| Matt
|
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCK6X3qMetgU57IuQRAtLhAJ9IC8j+ChmlBJKLG4mxMZ6pYfINgACeNRh8
xVDqePwoa+HXnXrf9WJ56U0=
=EPer
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If 
 you are not the intended recipient, you should not read it - please 
 contact me immediately, destroy it, and do not copy or use any part of 
 this communication or disclose anything about it.

------------------------------------------------------------------------------