[c-nsp] Firewall Dilema

Thu Oct 20 05:04:54 EDT 2005

On 10/18/05, Paul Stewart <pstewart at nexicomgroup.net> wrote:
>
> Hi there...
>
> I have been asked in the past couple of months to evaluate firewall's
> for both our internal network needs and also for client needs. Since we
> are a Cisco powered shop, it made sense to use a Cisco PIX 515E.
>
> The PIX has been in place for about 1 1/2 years and works great for our
> intial needs (remote access VPN for a few users, firewalling etc.).
>
> Now, we're looking at adopting new policies for our own internal network
> to do application firewalling to stop such things as MSN Messenger.
> Upgraded our PIX to latest 7.x code and was unable to block MSN
> successfully (aside from denying remote IP addresses galore). Because
> MSN will default to tunnelling via http, blocking ports is not a valid
> option. Tried application inspection in PIX 7.x and no luck....
>
> Fired up a spare 3640 and tried to do the same thing in IOS using CBAC
> and the new application inspection it supports. No luck here neither.
> The only way in IOS I could find was to block all ports that MSN would
> use and force it to http... At which point I could turn on strict-http
> checking within the application firewall portion of CBAC. But then, we
> couldn't reach a number of sites because they are not 100% http
> compliant for whatever reason (one of them is our web based ticketing
> system)...
>
> Have opened a few tickets at Cisco TAC on the PIX and IOS related issues
> of blocking MSN messenger only to find the best solution (according to
> TAC) is to run Websense or even Squid via WCCP. The built-in support
> for IM applications is only for Yahoo Messenger this point which is
> quite dissappointing.
>
> Applications such as Gnuntella/Napster etc. are easily blocked by NBAR
> in IOS so peer to peer doesn't appear to be a problem on either the PIX
> or IOS/FW.... Which was another item we wished to look at....
>
> I asked this list a month or so ago about recommendations on firewalls
> and a number of kind people replied with the PIX as a suggestion, but it
> appears that it will not do what our specific requirements are. Even
> went so far as to open a ticket at Cisco regarding the ASA series of new
> firewalls (figuring that the AIP-10 or AIP-20 would block applications
> be design) but was told because it's PIX based it wouldn't work if the
> PIX didn't....
>
> Can anyone shed some light on this? I'm frustrated over something that
> in my opinion should be relatively easy to do. I've talked to Juniper
> and Watchguard and they both claim to have a "click *here* in the GUI
> and it's blocked" solution.... Which after all this time is kind of an
> appealing option and one that I may pursue but hoping that I've missed
> the obvious with my Cisco endeavours....
>
> Thanks in advance,
>
> Paul Stewart
> IP Routing/Switching
> Nexicom Inc.
> http://www.nexicom.net
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

Could you just use a router that supports nbar and crate a custom filter for
it? I personally have not done this, but if you can find a common
denominator in the messenger traffic, nbar should be able to classify it.
Here is a link for it:
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7edf.html#wp1146161

Michael Gonnason
Alaska Communication Systems