Solved

PIX Firewall with Surfcontrol Server: Illegal Traffic not Blocked

Posted on 2006-11-07
13
673 Views
Last Modified: 2013-11-16
I currently have a PIX 501 firewall connected to my ISP, and behind that I have 3 switches trunked off of each other with one connection back to the PIX. I mirrored a port on switch A where it connects to the PIX and my Win2003 SP1 Server (Surfcontrol Server 5.0) is the box receiving the mirrored info. This is also on switch A, along with the trunk to the next switch (B) and 15+ other host ports that are active on switch A. My problem is that all of the websites that are supposedly blocked are coming through, regardless of where that box is in the network; switch A, B or C.. I have enabled all of the surfcontrol rules and they are active, but nothing is actually being blocked, though the monitor (and real time monitor) show blockage . I've also uninstalled and reinstalled Surfcontrol with the same result. I would prefer to move the surfcontrol server to one of the PIX ports and mirror the Switch A connection to that new PIX port, but I can't find any commands to mirror or SPAN a port on a PIX.

 Can someone come up with a possible solution or direct me to my flaw...

 

Thanks

PS. My Surfcontrol server has a secondary NIC that is a standard portfast fastE port (no mirroring) that I use to RDP into the box. Just thought I'd add this tidbit of info...
0
Comment
Question by:BigBro007
  • 4
  • 3
  • 3
  • +1
13 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17896659
>I can't find any commands to mirror or SPAN a port on a PIX.
Sorry, but there isn't one. You can't span ports directly on the PIX.

Unfortunately, the PIX does not support SurfControl natively like it does N2H2 and Websense.
I don't know how Surfcontrol is supposed to work by connecting to a SPAN port... I know it can see all the traffic that way, but how does it prevent users from going there?
What kind of switches do you have? They need to support bi-directional SPAN. Many Cisco switches do not support this feature.

I would think that the surfcontrol server would have to be in direct line between the users and the firewall.
Have you seen this document from SurfControl?
http://www.surfcontrol.com/uploadedfiles/SWF50_Pix_Deployment_Guide.pdf
0
 
LVL 10

Expert Comment

by:srgilani
ID: 17897023
lrmoore is right , you are doing port mirroring and it doesn't work like port filtering.

your scenario will be.


Internet --->  Pix ----->> SurfControl Server ----->  rest of lan.


0
 

Author Comment

by:BigBro007
ID: 17902909
ANd I truly understand that.... I've seen the document, and it states to mirror a port on the switch (2950) which is mirroring both directions of traffic. The docuemtn doesn't state whether or not host devices  can be plugged into the switch or not. And per this docuement, the server doesn't have to be a true"in-band" solution. That would be more along the lines of an appliance that was transparent. Thisi is supposedly a "pass-by" filtering device that can sit "off-band" and provide the solution of blocking the sites...

Any other info?


Ps. Surfcontrol calls for port mirroring; not filtering on the switch - surfcontrol does the filtering...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17903032
> mirror a port on the switch (2950) which is mirroring both directions of traffic.
Ah, but the port is not bi-directional meaning that it's like a firehose letting Surfcontrol see all the traffic, but no traffic can be sent from the Server into that same interface. Too much coming out to let any in. Sort of like a tadpole trying to swim into the fire hydrant with the water on full blast..
From SPAN on 2950 documentation:
 The destination port has these characteristics:
   * The port does not transmit any traffic except that required for the SPAN session

Therefore, this does not meet the requirement for a bi-directional mirror port.
Ref:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html#1078789

0
 

Expert Comment

by:jbisordi
ID: 17910373
Big Bro007,

I have a similar setup here. You need to review the documentation for you switch and be sure the port mirroring is bi-directional. By default the mirroring on alot of switches is not bi-directional.

I have all the clients on my network plugged into twenty NetGear Prosafe switches. One port on each switch plugs into another ProSafe switch (I call it my root switch), which also has my firewall and my SurfControl Webfilter server plugged into it. I bi-directionally mirrored (the option on the switch GUI is listed as Tx/Rx) the port the firewall is on to the port the SurfController is on it works great.

Before I had switches that could mirror ports, I had a small hub between my firewall and root switch that I plugged SurfController into which also worked (it was an old Linksys hub, I think the newer ones have Cisco switching technology in them so they wont work it has to be straight up broadcast style to all ports on the hub). That could work for you too, if you REALLY need to get it running ASAP.

So: check your switch documentation and get a new switch is needed, I wouldn't recommend what I did with the hub because that could seriously bottleneck your network if you are not careful!

:)

P.S. I am jealous of your budget and 2950's!

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:BigBro007
ID: 17910868
From my 2950:

Session 1
---------
Source Ports:
    RX Only:       None
    TX Only:       None
    Both:          Fa0/24
Destination Ports: Fa0/22


The port is monitoring in both directions; it just won't stop any clients even though there is a blocking statement active in the rule sets...

jbisordi,
do you have any host on the "root switch" in your network? I have host on my "root switch" and was wondering if this is causing some problems...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17910920
>Destination Ports: Fa0/22
This is the port connected to the SurfControl, yes?
It is *not* bi-directional.
Fa0/24 is connected to your firewall, yes?
traffic coming in Rx and going out Tx of that port is all mirrored to port fa0/22
SurfContrl sees everything
NOTHING can be sent out fa0/22, meaning that SurfControl cannot block anything.
0
 

Expert Comment

by:jbisordi
ID: 17939196
BigBro007,

Yes, I have hosts on my root switch. That shouldn't matter. See lrmoore's comments. I think your switch is sending both recieved and transmitted packets from port 24 to port 22, but 22 is unable to send anything out.

Like I said you could always try a hub (w/o switching technology) or get a new switch that will allow the destination port in port-mirroring to transmit as well.

:D
0
 

Author Comment

by:BigBro007
ID: 17943384
I now think I understand what you all are saying about being able to transmit on the port while receiving SPAN'd data. Does anyone know (before I google it) if the 2950's are capable of such a behavior?
0
 

Expert Comment

by:jbisordi
ID: 17948495
BigBro007,

I *think* it might be possible based on the documentation which states:

"You can use the SPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker."

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html

"The destination port does not transmit any traffic except that traffic required for the SPAN session unless "learning" is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port."

http://www.cisco.com/warp/public/473/41.html#topic5

Do you have a contact with Cisco TAC or a warranty on this piece of equipment? Give them a call and ask them for some configuration assistance for this feature.

Good Luck!




0
 

Author Comment

by:BigBro007
ID: 17949687
I actually re-read the cisco documentation this morning in regards to spanning the port. It looks as though I have to enable ingress on the actual destination port to allow me to send traffic out of the monitoring port... Im assuming that this is what they mean when they mention "...learning is enabled."
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now