Solved

bloking chat or website in pix

Posted on 2006-11-22
10
592 Views
Last Modified: 2013-11-16
hi
can i block chat like yahoo chat or hotmail chat in pix 525?
can i block website like www.oil.com or any website i want in pix 525


thanks
0
Comment
Question by:nasemabdullaa
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17995932
I don't think that's possible within the Pix firewall.

Short term - The quickest way is to modify your dns internally to have a zone entry for 'oil.com' pointing the request to a private IP scheme.

Long term - You may want to look at some web blocking software.

Ira @ KVR
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17995991
Does the pix 525 not allow you to block the ports normally used?



0
 

Author Comment

by:nasemabdullaa
ID: 17996050
hi
thanks for your reply
>>>You may want to look at some web blocking software.
can you gave me some title for this program

>>>Does the pix 525 not allow you to block the ports normally used
how i can block ports

thanks
0
 
LVL 16

Assisted Solution

by:AdamRobinson
AdamRobinson earned 25 total points
ID: 17996202
Not familiar with the Pix 525 myself, I was just assuming it had to be possible to block ports/websites, else I can't see what good it's worth dynamically.  But see this link:

http://www.velocityreviews.com/forums/t34557-pix-howto-restricting-ports-used-for-pat.html
0
 
LVL 7

Assisted Solution

by:killbrad
killbrad earned 25 total points
ID: 17996208
I don't think you can restrict a domain name in the PIX, Only IP Addresses..
For content filtering, use Squid Proxy w/ DansGuardian:

http://www.squid-cache.org/
http://dansguardian.org/
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:nasemabdullaa
ID: 17996314
hi
thanks for your reply
i want web filter for windows server 2003

thanks
0
 
LVL 1

Expert Comment

by:rpone605
ID: 17996713
it is possible to block ports in the pix with access lists
0
 
LVL 8

Assisted Solution

by:caddlady
caddlady earned 50 total points
ID: 18000224
0
 
LVL 5

Accepted Solution

by:
drawlin earned 150 total points
ID: 18000799
The PIX will block outgoing just as it will incomming traffic.  By default, most people only create an access-list for inbound traffic and all outbound is allowed.  You can create an access-list for outbound traffic, but be warned that you must make an entry for every allowed outgoing connection type.  Meaning, once you make the outbound access-list, you must make entries for http, https, ftp, smtp, pop, etc......  If your boss uses some program that talks on UDP port 5342, then you have to make an entry for that as well.  

In other words, it's possible but also labor intensive.  However, once you have the access-list created based on your company policy, you will be much more secure than you were not having an outbound access-list.  One huge payoff to having this access-list is that if a client gets some malware that talks on IRC or some higher port, it gets blocked.

As far as blocking a website, you can nslookup www.oil.com (195.149.84.100) to get the IP, then make an:
access-list inbound deny ip 195.149.84.100 any entry in the PIX.

So it's possible, but you may not want to spend the time required to make all the access-list rules and may opt for something with a content filtering subscription.
0
 
LVL 7

Expert Comment

by:killbrad
ID: 18014770
It is important to remember that millions of websites are multi-homed (which means many servers, using several dfferent ip addresses are load balanced), and that websites can (and do often) change their ip addresses.  This is quite a task to keep up once you get more than a couple sites setup in the PIX using IP addresses.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Guest VLAN not syncing email 13 21
Use of Training Budget 12 69
cisco 2911 8 24
Read-only SNMP string example ? 7 34
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now