Solved

PIX Firewall with Surfcontrol Server: Illegal Traffic not Blocked

Posted on 2006-11-07
13
670 Views
Last Modified: 2013-11-16
I currently have a PIX 501 firewall connected to my ISP, and behind that I have 3 switches trunked off of each other with one connection back to the PIX. I mirrored a port on switch A where it connects to the PIX and my Win2003 SP1 Server (Surfcontrol Server 5.0) is the box receiving the mirrored info. This is also on switch A, along with the trunk to the next switch (B) and 15+ other host ports that are active on switch A. My problem is that all of the websites that are supposedly blocked are coming through, regardless of where that box is in the network; switch A, B or C.. I have enabled all of the surfcontrol rules and they are active, but nothing is actually being blocked, though the monitor (and real time monitor) show blockage . I've also uninstalled and reinstalled Surfcontrol with the same result. I would prefer to move the surfcontrol server to one of the PIX ports and mirror the Switch A connection to that new PIX port, but I can't find any commands to mirror or SPAN a port on a PIX.

 Can someone come up with a possible solution or direct me to my flaw...

 

Thanks

PS. My Surfcontrol server has a secondary NIC that is a standard portfast fastE port (no mirroring) that I use to RDP into the box. Just thought I'd add this tidbit of info...
0
Comment
Question by:BigBro007
  • 4
  • 3
  • 3
  • +1
13 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
Comment Utility
>I can't find any commands to mirror or SPAN a port on a PIX.
Sorry, but there isn't one. You can't span ports directly on the PIX.

Unfortunately, the PIX does not support SurfControl natively like it does N2H2 and Websense.
I don't know how Surfcontrol is supposed to work by connecting to a SPAN port... I know it can see all the traffic that way, but how does it prevent users from going there?
What kind of switches do you have? They need to support bi-directional SPAN. Many Cisco switches do not support this feature.

I would think that the surfcontrol server would have to be in direct line between the users and the firewall.
Have you seen this document from SurfControl?
http://www.surfcontrol.com/uploadedfiles/SWF50_Pix_Deployment_Guide.pdf
0
 
LVL 10

Expert Comment

by:srgilani
Comment Utility
lrmoore is right , you are doing port mirroring and it doesn't work like port filtering.

your scenario will be.


Internet --->  Pix ----->> SurfControl Server ----->  rest of lan.


0
 

Author Comment

by:BigBro007
Comment Utility
ANd I truly understand that.... I've seen the document, and it states to mirror a port on the switch (2950) which is mirroring both directions of traffic. The docuemtn doesn't state whether or not host devices  can be plugged into the switch or not. And per this docuement, the server doesn't have to be a true"in-band" solution. That would be more along the lines of an appliance that was transparent. Thisi is supposedly a "pass-by" filtering device that can sit "off-band" and provide the solution of blocking the sites...

Any other info?


Ps. Surfcontrol calls for port mirroring; not filtering on the switch - surfcontrol does the filtering...
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
> mirror a port on the switch (2950) which is mirroring both directions of traffic.
Ah, but the port is not bi-directional meaning that it's like a firehose letting Surfcontrol see all the traffic, but no traffic can be sent from the Server into that same interface. Too much coming out to let any in. Sort of like a tadpole trying to swim into the fire hydrant with the water on full blast..
From SPAN on 2950 documentation:
 The destination port has these characteristics:
   * The port does not transmit any traffic except that required for the SPAN session

Therefore, this does not meet the requirement for a bi-directional mirror port.
Ref:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html#1078789

0
 

Expert Comment

by:jbisordi
Comment Utility
Big Bro007,

I have a similar setup here. You need to review the documentation for you switch and be sure the port mirroring is bi-directional. By default the mirroring on alot of switches is not bi-directional.

I have all the clients on my network plugged into twenty NetGear Prosafe switches. One port on each switch plugs into another ProSafe switch (I call it my root switch), which also has my firewall and my SurfControl Webfilter server plugged into it. I bi-directionally mirrored (the option on the switch GUI is listed as Tx/Rx) the port the firewall is on to the port the SurfController is on it works great.

Before I had switches that could mirror ports, I had a small hub between my firewall and root switch that I plugged SurfController into which also worked (it was an old Linksys hub, I think the newer ones have Cisco switching technology in them so they wont work it has to be straight up broadcast style to all ports on the hub). That could work for you too, if you REALLY need to get it running ASAP.

So: check your switch documentation and get a new switch is needed, I wouldn't recommend what I did with the hub because that could seriously bottleneck your network if you are not careful!

:)

P.S. I am jealous of your budget and 2950's!

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:BigBro007
Comment Utility
From my 2950:

Session 1
---------
Source Ports:
    RX Only:       None
    TX Only:       None
    Both:          Fa0/24
Destination Ports: Fa0/22


The port is monitoring in both directions; it just won't stop any clients even though there is a blocking statement active in the rule sets...

jbisordi,
do you have any host on the "root switch" in your network? I have host on my "root switch" and was wondering if this is causing some problems...
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>Destination Ports: Fa0/22
This is the port connected to the SurfControl, yes?
It is *not* bi-directional.
Fa0/24 is connected to your firewall, yes?
traffic coming in Rx and going out Tx of that port is all mirrored to port fa0/22
SurfContrl sees everything
NOTHING can be sent out fa0/22, meaning that SurfControl cannot block anything.
0
 

Expert Comment

by:jbisordi
Comment Utility
BigBro007,

Yes, I have hosts on my root switch. That shouldn't matter. See lrmoore's comments. I think your switch is sending both recieved and transmitted packets from port 24 to port 22, but 22 is unable to send anything out.

Like I said you could always try a hub (w/o switching technology) or get a new switch that will allow the destination port in port-mirroring to transmit as well.

:D
0
 

Author Comment

by:BigBro007
Comment Utility
I now think I understand what you all are saying about being able to transmit on the port while receiving SPAN'd data. Does anyone know (before I google it) if the 2950's are capable of such a behavior?
0
 

Expert Comment

by:jbisordi
Comment Utility
BigBro007,

I *think* it might be possible based on the documentation which states:

"You can use the SPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker."

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html

"The destination port does not transmit any traffic except that traffic required for the SPAN session unless "learning" is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port."

http://www.cisco.com/warp/public/473/41.html#topic5

Do you have a contact with Cisco TAC or a warranty on this piece of equipment? Give them a call and ask them for some configuration assistance for this feature.

Good Luck!




0
 

Author Comment

by:BigBro007
Comment Utility
I actually re-read the cisco documentation this morning in regards to spanning the port. It looks as though I have to enable ingress on the actual destination port to allow me to send traffic out of the monitoring port... Im assuming that this is what they mean when they mention "...learning is enabled."
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now