[c-nsp] Firewall Dilema

Jim McBurnett jim at tgasolutions.com
Tue Oct 18 14:47:51 EDT 2005


Paul,
This can be done through the port misuse and http-map commands
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_r
eference_chapter09186a008045277f.html#wp1544054

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_r
eference_chapter09186a008045277d.html#wp1567977

Let me if this helps..

Jim

 

-----Original Message-----
From: Paul Stewart [mailto:pstewart at nexicomgroup.net] 
Sent: Tuesday, October 18, 2005 1:56 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Firewall Dilema

Hi there...

I have been asked in the past couple of months to evaluate firewall's
for both our internal network needs and also for client needs.  Since we
are a Cisco powered shop, it made sense to use a Cisco PIX 515E.

The PIX has been in place for about 1 1/2 years and works great for our
intial needs (remote access VPN for a few users, firewalling etc.).

Now, we're looking at adopting new policies for our own internal network
to do application firewalling to stop such things as MSN Messenger.
Upgraded our PIX to latest 7.x code and was unable to block MSN
successfully (aside from denying remote IP addresses galore).   Because
MSN will default to tunnelling via http, blocking ports is not a valid
option.  Tried application inspection in PIX 7.x and no luck.... 

Fired up a spare 3640 and tried to do the same thing in IOS using CBAC
and the new application inspection it supports.  No luck here neither.
The only way in IOS I could find was to block all ports that MSN would
use and force it to http... At which point I could turn on strict-http
checking within the application firewall portion of CBAC.  But then, we
couldn't reach a number of sites because they are not 100% http
compliant for whatever reason (one of them is our web based ticketing
system)...

Have opened a few tickets at Cisco TAC on the PIX and IOS related issues
of blocking MSN messenger only to find the best solution (according to
TAC) is to run Websense or even Squid via WCCP.  The built-in support
for IM applications is only for Yahoo Messenger this point which is
quite dissappointing.  

Applications such as Gnuntella/Napster etc. are easily blocked by NBAR
in IOS so peer to peer doesn't appear to be a problem on either the PIX
or IOS/FW.... Which was another item we wished to look at....

I asked this list a month or so ago about recommendations on firewalls
and a number of kind people replied with the PIX as a suggestion, but it
appears that it will not do what our specific requirements are.  Even
went so far as to open a ticket at Cisco regarding the ASA series of new
firewalls (figuring that the AIP-10 or AIP-20 would block applications
be design) but was told because it's PIX based it wouldn't work if the
PIX didn't....

Can anyone shed some light on this?  I'm frustrated over something that
in my opinion should be relatively easy to do.  I've talked to Juniper
and Watchguard and they both claim to have a "click *here* in the GUI
and it's blocked" solution.... Which after all this time is kind of an
appealing option and one that I may pursue but hoping that I've missed
the obvious with my Cisco endeavours....

Thanks in advance,

Paul Stewart
IP Routing/Switching
Nexicom Inc.
http://www.nexicom.net


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list