Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco PIX501 Block URL

Posted on 2004-10-22
9
Medium Priority
?
1,433 Views
Last Modified: 2013-11-16
I'm looking for solution for URL blocking on my company firewall.
to prevent user from reaching those web and infecting virus.
i.e. http://www.3721.com, http://www.163.com

PIX can intergrate with Websense to do the URL filtering works,
however we are a small company which could not afford to pay 1000pa for Websense
0
Comment
Question by:csvchou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12380590
The PIX does not have that capability.
You might look into iPrism that is much less expensive than WebSense http://www.stbernard.com/iprism
Else you can setup a proxy server like Squid or IPCOP with addons (if you're an adventurous Linux guru)

You can manually resolve those websites to IP addresses, and manually add access-list rules to block them by IP address.

0
 
LVL 5

Accepted Solution

by:
talphius earned 2000 total points
ID: 12386788
Another option is to do this outside of the firewall through either host files on each PC, or if you manage your DNS internally, you can add an empty zone for the domains so that clients will never be able to resolve them to an IP.  

We've found this works better for websites that round-robin their domains (i.e. messenger.yahoo.com, etc etc), as in order to add these to the ACL's in the PIX you'd need to know all of the IP's that could possibly be passed off by DNS.  For sites that are constantly changing, this could be a very frequent and time consuming task.  Admittedly there are ways to get around it, but it does block it for the "average" user.    Hope this helps!
0
 

Author Comment

by:csvchou
ID: 12398153
thanks both experts!

hosts file seems to be the only way for our tight budget
I'll edit each workstation hosts file (forturnately, we have only 10 pc for internet access)

C:\Winnt\system32\drivers\etc\hosts

127.0.0.1                   localhost
127.0.0.1                   3721.com
127.0.0.1                   cnsmin.3721.com
127.0.0.1                   bai.baidu.com

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 5

Expert Comment

by:talphius
ID: 12399082
Glad I could be of assistance for you csvchou!  Curious though why you graded as a 'B' when it was exactly what you were looking for, and the solution you ended up using?

0
 

Author Comment

by:csvchou
ID: 12408212
Dear talphius,

hosts file method only work for those stand alone workstations (not connected to the win2000 server domain)
this method fail on other domain workstation, as DNS service is handled by win2000 server
so far I can only get 1 pc out of 10 fixed.
I've heard something about using ISA to do URL filtering.
we are running Small Business Server 2000 with ISA2000 installed.
Do you have any workaround?

Dear lrmoore,

I apologize I didn't provide enough information on this issue (i.e. PC group size)
we have 10pc connected, 2 are stand alone, 8 connected to the domain network
Thanks for your valueable info. now I know the solution all depend on the group size.




0
 
LVL 5

Expert Comment

by:talphius
ID: 12409845
Ahh...you didn't mention that your problem wasn't solved before you accepted the answer....

Host files should affect the local machines as the machine will look locally before hitting the network DNS server.  We use W2K DNS on our network as well....For testing I just entered a 127.0.0.1 record for yahoo.com in my host file and when I attempted to connect or ping I received my localhost as expected.  Is it possible that after you applied the host file there were still cached entries for the domains you were attempting to block?  You can remove these by doing a Start > Run > ipconfig /flushdns

Since you are on a W2K domain, and it sounds like your DNS is managed internally, you can also implement the other solution I recommended in my original post, by implementing empty zone records in DNS for those domains you are trying to block.  Basically all you need to do it the following:

- Open DNS Management and point it to the server managing your DNS
- Right click on Forward Lookup Zones, Click New Zone
- Choose Primary Zone, Click Next
- Zone name would be domain name or subdomain you are trying to block (i.e. xyz.com or abc.xyz.com)
- Accept default (Allow only secure dynamic updates), Click Next
- Click finish

Basically any host on your network that uses the DNS server will get back an empty answer for that domain when it attempts to do lookups.  You can verify this by going to a workstation and running a 'nslookup <domainname>' (be sure you flush dns on that machine first).  The advantage of using it at the server level is that theres only one place to manage these settings, and you dont have to push them out to machines.  

We currently have the below in ours:
aim.aol.com
gator.com
hotbar.com
icq.com
login.oscar.aol.com
messenger.hotmail.com
messenger.yahoo.com
msg.yahoo.com
scs.yahoo.com
weatherbug.com
webshots.com

Let me know if you need any further assistance.
0
 

Author Comment

by:csvchou
ID: 12411675
Dear talphius,

It works!!!!! My problem is solved.
Thanks for your detail working guide.
It is my 1st time using experts-exchange, I did it by mistake.
It should be a grade 'A' answer.
How can I change the grade?
0
 
LVL 5

Expert Comment

by:talphius
ID: 12411781
Welcome to EE!  I'm sure you'll find the site to be an excellent resource for information, and I would encourage you take some time to look through the content here.  As for your specific question, I'm glad I could help! :)

Regarding the grade change, you can post a message in the Community Support area, stating exactly what you want done.  Be sure to refer to this question #(Q_21178503) in your message.

http://www.experts-exchange.com/Community_Support/
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question