ChuckNNTP wrote:
> We are currently running a cisco 7206VXR router which
> connects our organization to the Internet. IOS version is
> 12.2(19a). Only two interfaces in use, one to the external
> internet link, and one to our internal network.
>
> At present, when we detect a user's computer is infected w/
> a virus or worm, we create an ACL entry that denies any IP
> ingoing or outgoing to their IP address (one entry in the
> inside and outside ACLs respectively). This ACL entry
> occurs after explicit allow entries to windows update sites
> and virus/worm control sites so the users can still get out
> and update/dis-infect their computers, but can't go anywhere
> else on the internet.
>
> My question is, using the least amount of router CPU
> possible, what is the best way to add a port 80 re-direct
> entry right before their deny all IP entry? In other words,
> at present, the user may not know why they can't get to any
> web pages (or AIM, FTP, etc). This results in a help desk
> call, and the helpdesk person has to tell them they have
> been quarantined, and how to fix it. I'd like for any
> outgoing destination port 80 traffic from the infected user
> to be redirected to a machine on the inside which tells them
> that they are quarantined and what to do about it. I've
> seen a few ways I might be able to do this with IOS,
> including one that requires an upgrade to 12.3 (SSG
> related), but I thought I'd ask in case anyone has done
> something similar.
>
> Thanks in advance!
Interesting question! You might be able to just policy-route (routing
based on source not destination) that user's ip direct to your internal
web server.
I think in apache (not sure about MS) you can configure the webserver to
accept requests to any ip address so you would not have to rewrite the
packet, just redirect it.
You would obviously have to configure the web server to respond with the
right page regardless of what page the user has requested.
|
Similar Threads
