[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 302
  • Last Modified:

Pix allowing access by URL?

I believe it is possible to set up access via a pix to URLs (rather than IP addresses) by using an external Websense server.
Is this interface specification available, and/or are there any freeware products that can be used?
I need to allow access to certain sites (some of which are using akamai) whick have multiple (not necessarily published) ip addresses eg windows update, whilst blocking all other access.
So far I have built a very long list (approx 100 lines) of ip addresses that I am allowing in my access-list, but this clearly is a silly way of working.

Any suggestions?

(We are committed to PIX, it will not help at all, suggesting alternative firewall products!)

Thanks
0
zaxanoid
Asked:
zaxanoid
  • 5
  • 5
  • 2
1 Solution
 
lrmooreCommented:
I'm sorry to say that there is absolutely no facility within the PIX to do what you are asking of it.
I think that what you are looking for is a way to block, sort of like this:
   access-list blocking_list deny tcp any www.playboy.com
   access-list blocking_list deny tcp any mail.yahoo.com
   access-list blocking_list permit tcp any www.akamai.com
   access-list blocking_list permit tcp any www.microsoft.com
   access-list blocking_list permit tcp any v5.windowsupdate.microsoft.com
   access-list blocking_list permit tcp any windowsupdate.microsoft.com
  <etc>

The only way that can happen is with URL filtering, passing off the actual decision to WebSense or N2H2 server.
Else, use a Proxy server with outbound retrictions.

 
0
 
zaxanoidAuthor Commented:
Hi there
I knew this...the question was:
"I believe it is possible to set up access via a pix to URLs (rather than IP addresses) by using an external Websense server.
Is this interface specification available, and/or are there any freeware products that can be used?"

0
 
lrmooreCommented:
As I said:
>Else, use a Proxy server with outbound retrictions.

You can use something like Squid proxy http://www.squid-cache.org/
Or something like IPCOP with addins http://www.ipcop.org    http://www.ipcops.net
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
zaxanoidAuthor Commented:
Thanks, but as I also said, we are committed to pix, and it is no use suggesting alternatives.
Perhaps I could push all the traffic throught the squid before the pix, to filter the urls, but this will cause no end of bother with vpn tunnels to concentrators behind the pix, and inbound traffic.

0
 
lrmooreCommented:
>but as I also said, we are committed to pix, and it is no use suggesting alternatives
As I also said, there is no capability of the PIX alone to do what you want.
There are only alternatives that suppliment the pix.
0
 
lrmooreCommented:
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0
 
zaxanoidAuthor Commented:
My question was
"Is this interface specification available, and/or are there any freeware products that can be used?"
and I stated:
"(We are committed to PIX, it will not help at all, suggesting alternative firewall products!)"

So the "answers" posted were not in fact answers at all.

I would therefore suggest no points be awarded. It seems that nobody knows the interface spec., and there are no freeware alternatives.

0
 
VenabiliCommented:
The answer is given to you - there is no way in the way you want it...
You may not liek it, but this is the fact.
"NO way" is a valid answer and is not a reason for not awarding the points
0
 
zaxanoidAuthor Commented:
If "no way" had been posted as an answer, I might agree with you.
However this has not been said......
the only "answers"  posted were re statements of parts of my question, or excluded in my question as not an option for me.
In other words these "answers" added nothing new, and left me wondering if the question had actually been read through.

So far nobody has actually said that there isn't a freeware product, or offered any idea on the workings of the interface...
I still hope that an answer might appear from somewhere. Clearly there is an interface spec somewhere, or websense n2h2 etc wouldn't work.

I would therefore suggest no points be awarded. It seems that there are no freeware alternatives (at the moment) and that nobody has the interface spec.

Surely points are awarded for answers......

0
 
VenabiliCommented:
"there is no capability of the PIX alone to do what you want." was said.
Additionally - lrmoore asked if you need more help and you did not answer. How the experts are supposed to know that this is not enough for you
0
 
lrmooreCommented:
The answer will not change.
>So far nobody has actually said that there isn't a freeware product,
You asked for freeware alternatives, and I provided you with a link to Squid

You did not want to use Squid and stated that you will not accept alternatives to the PIX.

That leaves NO other alternative and you still cannot do it with the PIX alone.
There is absolutely NO freeware or any other 3rd party software that can be installed directly on the PIX.

What kind of interface spec are you looking for? The PIX has standard 10/100 Ethernet interfaces. Cisco does not make public any of its sourcecode or any other interface specifications.


0
 
zaxanoidAuthor Commented:
I was hoping that someone had a spec of the pix to websense interface (then may be I could write code to allow simple url filtering....I don't need any of the advanced features such as lists of categorized  content), or knew of a free (or cheap) program that can interface to the pix in the same way.

I fully accept all of your comments, and agree with you that your answer is as good as I can expect.

I did hope that Pix v7 might allow the use of URLs in access-lists
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now