[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 601
  • Last Modified:

bloking chat or website in pix

hi
can i block chat like yahoo chat or hotmail chat in pix 525?
can i block website like www.oil.com or any website i want in pix 525


thanks
0
nasemabdullaa
Asked:
nasemabdullaa
  • 2
  • 2
  • 2
  • +4
4 Solutions
 
KVR_SolutionsCommented:
I don't think that's possible within the Pix firewall.

Short term - The quickest way is to modify your dns internally to have a zone entry for 'oil.com' pointing the request to a private IP scheme.

Long term - You may want to look at some web blocking software.

Ira @ KVR
0
 
AdamRobinsonCommented:
Does the pix 525 not allow you to block the ports normally used?



0
 
nasemabdullaaAuthor Commented:
hi
thanks for your reply
>>>You may want to look at some web blocking software.
can you gave me some title for this program

>>>Does the pix 525 not allow you to block the ports normally used
how i can block ports

thanks
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
AdamRobinsonCommented:
Not familiar with the Pix 525 myself, I was just assuming it had to be possible to block ports/websites, else I can't see what good it's worth dynamically.  But see this link:

http://www.velocityreviews.com/forums/t34557-pix-howto-restricting-ports-used-for-pat.html
0
 
killbradCommented:
I don't think you can restrict a domain name in the PIX, Only IP Addresses..
For content filtering, use Squid Proxy w/ DansGuardian:

http://www.squid-cache.org/
http://dansguardian.org/
0
 
nasemabdullaaAuthor Commented:
hi
thanks for your reply
i want web filter for windows server 2003

thanks
0
 
rpone605Commented:
it is possible to block ports in the pix with access lists
0
 
drawlinCommented:
The PIX will block outgoing just as it will incomming traffic.  By default, most people only create an access-list for inbound traffic and all outbound is allowed.  You can create an access-list for outbound traffic, but be warned that you must make an entry for every allowed outgoing connection type.  Meaning, once you make the outbound access-list, you must make entries for http, https, ftp, smtp, pop, etc......  If your boss uses some program that talks on UDP port 5342, then you have to make an entry for that as well.  

In other words, it's possible but also labor intensive.  However, once you have the access-list created based on your company policy, you will be much more secure than you were not having an outbound access-list.  One huge payoff to having this access-list is that if a client gets some malware that talks on IRC or some higher port, it gets blocked.

As far as blocking a website, you can nslookup www.oil.com (195.149.84.100) to get the IP, then make an:
access-list inbound deny ip 195.149.84.100 any entry in the PIX.

So it's possible, but you may not want to spend the time required to make all the access-list rules and may opt for something with a content filtering subscription.
0
 
killbradCommented:
It is important to remember that millions of websites are multi-homed (which means many servers, using several dfferent ip addresses are load balanced), and that websites can (and do often) change their ip addresses.  This is quite a task to keep up once you get more than a couple sites setup in the PIX using IP addresses.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now