PIX 506e watching for unauthorised activity

Discussion in 'Cisco' started by Tom Pearson, Jun 21, 2004.

  1. Tom Pearson

    Tom Pearson Guest

    Using the 506e I want to be able to watch of unexpected/unauthorised
    activity on my TS farm. Basically users are running a single app via
    TS as a turnkey application so all incoming requests will be via port
    3389. I want to be able to monitor outgoing traffic from the servers
    to ensure that somehow unauthorised activity on other ports unrelated
    to TS is not occurring.

    Charlie Markwick
     
    Tom Pearson, Jun 21, 2004
    #1
    1. Advertisements

  2. Tom Pearson

    PES Guest

    To simply block the activities you describe, you could do the following.

    Use an inbound access list on the inside interface inbound

    access-list inside permit tcp host <address> eq 3389 any
    access-list inside deny ip host <address> any
    access-list inside permit ip any any

    apply to the inside interface

    access-group outside_in in interface outside
     
    PES, Jun 21, 2004
    #2
    1. Advertisements

  3. Tom Pearson

    Bill F Guest

    turn logging on. set it to debug if you want to see everything. you
    can log to a syslog server if you want to capture it on another machine
     
    Bill F, Jun 21, 2004
    #3
  4. :
    :> Using the 506e I want to be able to watch of unexpected/unauthorised
    :> activity on my TS farm. Basically users are running a single app via
    :> TS as a turnkey application so all incoming requests will be via port
    :> 3389. I want to be able to monitor outgoing traffic from the servers
    :> to ensure that somehow unauthorised activity on other ports unrelated
    :> to TS is not occurring.

    :To simply block the activities you describe, you could do the following.

    :Use an inbound access list on the inside interface inbound

    :access-list inside permit tcp host <address> eq 3389 any
    ;access-list inside deny ip host <address> any
    ;access-list inside permit ip any any

    That's not going to work all that well, PES. The Adaptive Security
    of the PIX is going to allow in the 3389 traffic anyhow, and is going
    to keep better track of the state of that traffic than is implied
    by the permit statement.

    Secondly, denying the other traffic from that host is only useful if the
    host cannot be used to get to another machine not so blocked. If you
    can get to <address> and break it, there are various approaches one
    could take. For example, one could create an alternate IP address on
    the host in a related address space and start sending out packets: the
    'permit ip any any' you propose would allow that traffic to sail right
    through.


    If all the valid incoming traffic is through a particular port to
    a TS farm, then to prevent most outbound hijinks, just

    access-list acl-inside deny ip any any
    access-group acl-inside in interface inside

    The Adaptive Security will automatically create and destroy any needed
    exemptions to the list.
     
    Walter Roberson, Jun 21, 2004
    #4
  5. Tom Pearson

    PES Guest

    That is true. However, I am assuming that he has other things behing this
    port and wants to maintain the same configuration for them. With my
    original acl (below) you could in any case eliminate the top line. If
    everything behind the port only accept inbound connections, then what you
    say is true. I think the thing that the original poster is wanting to
    protect against is the users using software on the Terminal Server to create
    outbound connection without him being aware. For example configuring
    Outlook express in their session to pop their email, or perhaps browse the
    internet. For that, my acl would work because this is a seperate connection
    as far as ASA is concerned. The users would not be able to change the IP
    address unless they were admins anyway. If they did so, it would break the
    static xlate (assuming they were outside). Therefore, I did not consider
    that too great of risk.

    access-list inside permit tcp host <address> eq 3389 any
    access-list inside deny ip host <address> any
    access-list inside permit ip any any
     
    PES, Jun 22, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.