«

Hello,

I need to block traffic on my Pix 515, specifcally junk web traffic, which
is not TCP:80. I need to allow my users to surf, but want to eliminate
streaming web music, weather programs that constantly hit the Net, Kazaa,
spyware, etc, etc.... I know that some of these apps scan open ports and
use those, but is there an easy way to block everything except for the
basics (TCP 80, 25, 110, etc)? I have a Pix 515 with v6.3.

Thanks,
Mike




-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Hello, Mike!
You wrote on Wed, 24 Dec 2003 08:36:52 -0500:

M> I need to block traffic on my Pix 515, specifcally junk web
M> traffic, which is not TCP:80. I need to allow my users to
M> surf, but want to eliminate streaming web music, weather
M> programs that constantly hit the Net, Kazaa, spyware, etc,
M> etc.... I know that some of these apps scan open ports and use
M> those, but is there an easy way to block everything except for
M> the basics (TCP 80, 25, 110, etc)? I have a Pix 515 with v6.3.

You will need more than just a PIX to do what you are looking for. Cisco NBAR
and Packeteer PacketShaper come to my mind. First one is technology and run on
Cisco router, second one is a product. Idea behind is simple - application
recognition.

Trying to block everything except 80, 25, 110, etc. can potentially break some
legitimate traffic. On the other hand there is TCP over HTTP and TCP over DNS
available - so you really want to look into payload.

With best regards,
Andrey.

> M> I need to block traffic on my Pix 515, specifcally junk web
> M> traffic, which is not TCP:80. I need to allow my users to
> M> surf, but want to eliminate streaming web music, weather
> M> programs that constantly hit the Net, Kazaa, spyware, etc,
> M> etc.... I know that some of these apps scan open ports and use
> M> those, but is there an easy way to block everything except for
> M> the basics (TCP 80, 25, 110, etc)? I have a Pix 515 with v6.3.
>
> You will need more than just a PIX to do what you are looking for. Cisco
NBAR
> and Packeteer PacketShaper come to my mind. First one is technology and
run on
> Cisco router, second one is a product. Idea behind is simple - application
> recognition.
>
> Trying to block everything except 80, 25, 110, etc. can potentially break
some
> legitimate traffic. On the other hand there is TCP over HTTP and TCP over
DNS
> available - so you really want to look into payload.
>
> With best regards,
> Andrey.

I agree with Andrey that you would need something other then the PIX to do
properly, content inspection is what you need and this is not a feature of
the firewall. It also has it's own problems blocking legitimate traffic.

But, you can use a simple ACL to block all outbound except the ports you
mentioned, you will just have to put in exceptions for legitimate traffic
when the user complains. And they will.