Solved

How to block IM,P2P applications, Google earth,multimedia contents from PIX 525 ver 7.0(6)

Posted on 2006-11-17
5
1,361 Views
Last Modified: 2013-11-16
Hi Experts

I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .


0
Comment
Question by:alkhaleej
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 7

Expert Comment

by:lukeca
ID: 17970661
Well if your clients are pointed to an internal dns server you can just setup dns records that point those domains to a bogus IP address.  For the major messaging apps you would set up bogus dns record for:

messenger.hotmail.com -> msn messenger
login.oscar.aol.com -> aol messenger
msg.edit.yahoo.com -> yahoo messenger

Then just create bogus dns entries for any websites you want to block.

This is what we do at our clients that have no other means of blocking
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17971548
This examples from Cisco using advanced http inspect features:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/gl.htm#wp1642303

The following example shows how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface:

hostname(config)# class-map http-port
hostname(config-cmap)# match port tcp eq 80
hostname(config-cmap)# exit
hostname(config)# http-map inbound_http
hostname(config-http-map)# content-length min 100 max 2000 action reset log
hostname(config-http-map)# content-type-verification match-req-rsp reset log
hostname(config-http-map)# max-header-length request bytes 100 action log reset
hostname(config-http-map)# max-uri-length 100 action reset log
hostname(config-http-map)# exit
hostname(config)# policy-map inbound_policy
hostname(config-pmap)# class http-port
hostname(config-pmap-c)# inspect http inbound_http
hostname(config-pmap-c)# exit
hostname(config-pmap)# exit
hostname(config)# service-policy inbound_policy interface outside

This example causes the security appliance to reset the connection and create a syslog entry when it detects any traffic that contain the following:

•Messages less than 100 bytes or exceeding 2000 bytes
•Unsupported content types <== you can define what types are supported
•HTTP headers exceeding 100 bytes
•URIs exceeding 100 bytes

Reference on content types: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/c.htm#wp1969931

0
 
LVL 4

Expert Comment

by:RonHoffmann
ID: 17975630
I use IPCOP with a block outgoing traffic addin as our main router.
By default the add in blocks everything.
You then have to open up the holes you want like port 80, 21, 25, 110, 1723, etc.
It will run on any old machine you may have laying around. even a 486.
You can even limit access by ip or mac.
I've been able to block all P2P application.
MSN is a tough one to block because it defaults to port 80 which you need for web browsing.
It works great for me.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18107899
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?
Thanks!
0
 

Expert Comment

by:bbegin
ID: 20203828
Hi,

For what it's worth, we successfully block YouTube flash videos with this policy-map (inspect type) for our clients that need it:


regex _videoflash "video/flv"

policy-map type inspect http http-no-flash
 parameters
  match response header content-type regex _videoflash
   drop-connection log

policy-map global_policy
 class inspection_default
  inspect http http-no-flash
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question