Solved

PIX Firewall with Surfcontrol Server: Illegal Traffic not Blocked

Posted on 2006-11-07
13
678 Views
Last Modified: 2013-11-16
I currently have a PIX 501 firewall connected to my ISP, and behind that I have 3 switches trunked off of each other with one connection back to the PIX. I mirrored a port on switch A where it connects to the PIX and my Win2003 SP1 Server (Surfcontrol Server 5.0) is the box receiving the mirrored info. This is also on switch A, along with the trunk to the next switch (B) and 15+ other host ports that are active on switch A. My problem is that all of the websites that are supposedly blocked are coming through, regardless of where that box is in the network; switch A, B or C.. I have enabled all of the surfcontrol rules and they are active, but nothing is actually being blocked, though the monitor (and real time monitor) show blockage . I've also uninstalled and reinstalled Surfcontrol with the same result. I would prefer to move the surfcontrol server to one of the PIX ports and mirror the Switch A connection to that new PIX port, but I can't find any commands to mirror or SPAN a port on a PIX.

 Can someone come up with a possible solution or direct me to my flaw...

 

Thanks

PS. My Surfcontrol server has a secondary NIC that is a standard portfast fastE port (no mirroring) that I use to RDP into the box. Just thought I'd add this tidbit of info...
0
Comment
Question by:BigBro007
  • 4
  • 3
  • 3
  • +1
13 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17896659
>I can't find any commands to mirror or SPAN a port on a PIX.
Sorry, but there isn't one. You can't span ports directly on the PIX.

Unfortunately, the PIX does not support SurfControl natively like it does N2H2 and Websense.
I don't know how Surfcontrol is supposed to work by connecting to a SPAN port... I know it can see all the traffic that way, but how does it prevent users from going there?
What kind of switches do you have? They need to support bi-directional SPAN. Many Cisco switches do not support this feature.

I would think that the surfcontrol server would have to be in direct line between the users and the firewall.
Have you seen this document from SurfControl?
http://www.surfcontrol.com/uploadedfiles/SWF50_Pix_Deployment_Guide.pdf
0
 
LVL 10

Expert Comment

by:srgilani
ID: 17897023
lrmoore is right , you are doing port mirroring and it doesn't work like port filtering.

your scenario will be.


Internet --->  Pix ----->> SurfControl Server ----->  rest of lan.


0
 

Author Comment

by:BigBro007
ID: 17902909
ANd I truly understand that.... I've seen the document, and it states to mirror a port on the switch (2950) which is mirroring both directions of traffic. The docuemtn doesn't state whether or not host devices  can be plugged into the switch or not. And per this docuement, the server doesn't have to be a true"in-band" solution. That would be more along the lines of an appliance that was transparent. Thisi is supposedly a "pass-by" filtering device that can sit "off-band" and provide the solution of blocking the sites...

Any other info?


Ps. Surfcontrol calls for port mirroring; not filtering on the switch - surfcontrol does the filtering...
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17903032
> mirror a port on the switch (2950) which is mirroring both directions of traffic.
Ah, but the port is not bi-directional meaning that it's like a firehose letting Surfcontrol see all the traffic, but no traffic can be sent from the Server into that same interface. Too much coming out to let any in. Sort of like a tadpole trying to swim into the fire hydrant with the water on full blast..
From SPAN on 2950 documentation:
 The destination port has these characteristics:
   * The port does not transmit any traffic except that required for the SPAN session

Therefore, this does not meet the requirement for a bi-directional mirror port.
Ref:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html#1078789

0
 

Expert Comment

by:jbisordi
ID: 17910373
Big Bro007,

I have a similar setup here. You need to review the documentation for you switch and be sure the port mirroring is bi-directional. By default the mirroring on alot of switches is not bi-directional.

I have all the clients on my network plugged into twenty NetGear Prosafe switches. One port on each switch plugs into another ProSafe switch (I call it my root switch), which also has my firewall and my SurfControl Webfilter server plugged into it. I bi-directionally mirrored (the option on the switch GUI is listed as Tx/Rx) the port the firewall is on to the port the SurfController is on it works great.

Before I had switches that could mirror ports, I had a small hub between my firewall and root switch that I plugged SurfController into which also worked (it was an old Linksys hub, I think the newer ones have Cisco switching technology in them so they wont work it has to be straight up broadcast style to all ports on the hub). That could work for you too, if you REALLY need to get it running ASAP.

So: check your switch documentation and get a new switch is needed, I wouldn't recommend what I did with the hub because that could seriously bottleneck your network if you are not careful!

:)

P.S. I am jealous of your budget and 2950's!

0
 

Author Comment

by:BigBro007
ID: 17910868
From my 2950:

Session 1
---------
Source Ports:
    RX Only:       None
    TX Only:       None
    Both:          Fa0/24
Destination Ports: Fa0/22


The port is monitoring in both directions; it just won't stop any clients even though there is a blocking statement active in the rule sets...

jbisordi,
do you have any host on the "root switch" in your network? I have host on my "root switch" and was wondering if this is causing some problems...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17910920
>Destination Ports: Fa0/22
This is the port connected to the SurfControl, yes?
It is *not* bi-directional.
Fa0/24 is connected to your firewall, yes?
traffic coming in Rx and going out Tx of that port is all mirrored to port fa0/22
SurfContrl sees everything
NOTHING can be sent out fa0/22, meaning that SurfControl cannot block anything.
0
 

Expert Comment

by:jbisordi
ID: 17939196
BigBro007,

Yes, I have hosts on my root switch. That shouldn't matter. See lrmoore's comments. I think your switch is sending both recieved and transmitted packets from port 24 to port 22, but 22 is unable to send anything out.

Like I said you could always try a hub (w/o switching technology) or get a new switch that will allow the destination port in port-mirroring to transmit as well.

:D
0
 

Author Comment

by:BigBro007
ID: 17943384
I now think I understand what you all are saying about being able to transmit on the port while receiving SPAN'd data. Does anyone know (before I google it) if the 2950's are capable of such a behavior?
0
 

Expert Comment

by:jbisordi
ID: 17948495
BigBro007,

I *think* it might be possible based on the documentation which states:

"You can use the SPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker."

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html

"The destination port does not transmit any traffic except that traffic required for the SPAN session unless "learning" is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port."

http://www.cisco.com/warp/public/473/41.html#topic5

Do you have a contact with Cisco TAC or a warranty on this piece of equipment? Give them a call and ask them for some configuration assistance for this feature.

Good Luck!




0
 

Author Comment

by:BigBro007
ID: 17949687
I actually re-read the cisco documentation this morning in regards to spanning the port. It looks as though I have to enable ingress on the actual destination port to allow me to send traffic out of the monitoring port... Im assuming that this is what they mean when they mention "...learning is enabled."
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
port redirection on cisco asa 5520 5 16
Changing password for HP switch 5 36
adjusting startup config 6 23
cisco asa proxy arp 2 13
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question