eggster34
asked on
limiting # of smtp connections from inside to outside hosts for a specific internal host. PIX 515E.
Hi
I have a rather delicate situation that I need advice on.
A person in our network is sending out excessive amounts of email through a single account (by establishing smtp connections with our ISPs smtp server) This is like 5000 emails in 8 hours!
We have a network switch, and then a PIX 515E and a Cisco 1721 router with a T-1 connection to the ISP. As you'd appreciate, the T-1 is being utilized by this person only. We have tried warning her but we can't do much because she's the wife of our chairman. We know what her internal ip is, but all internal IPs are Natted to an external ip at our pix, so we need to find a way to limit her bandwidth or number of smtp connections she can make at the pix level. Any ideas? thanks.
I have a rather delicate situation that I need advice on.
A person in our network is sending out excessive amounts of email through a single account (by establishing smtp connections with our ISPs smtp server) This is like 5000 emails in 8 hours!
We have a network switch, and then a PIX 515E and a Cisco 1721 router with a T-1 connection to the ISP. As you'd appreciate, the T-1 is being utilized by this person only. We have tried warning her but we can't do much because she's the wife of our chairman. We know what her internal ip is, but all internal IPs are Natted to an external ip at our pix, so we need to find a way to limit her bandwidth or number of smtp connections she can make at the pix level. Any ideas? thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
but I would check to see if she has a worm like IPKON has stated
If you are on an earlier version than 7.x then this can still be done but you would need to set an outbound access-list following the guidelines mentioned by IPKON.
access-list outbound permit tcp host internal_ip_of_mailserver any eq 25
access-list outbound deny tcp any any eq 25
access-list outbound permit ip any any (or whatever rules you allow for outbound traffic)
access-group outbound in interface inside
access-list outbound permit tcp host internal_ip_of_mailserver any eq 25
access-list outbound deny tcp any any eq 25
access-list outbound permit ip any any (or whatever rules you allow for outbound traffic)
access-group outbound in interface inside
keith, but that completely bans that one client. granted I agree with you and IPKON that this should be the way it should be done (and the way I do it as well), but eggster34 stated in the Q:
>>We have tried warning her but we can't do much because she's the wife of our chairman
>>so we need to find a way to limit her bandwidth or number of smtp connections she can make at the pix level
Of course unless you know of something I don't know of a way to do it on pre-7.x PIX OS's since QoS wasn't included until 7.x (dummy QoS anyway)
>>We have tried warning her but we can't do much because she's the wife of our chairman
>>so we need to find a way to limit her bandwidth or number of smtp connections she can make at the pix level
Of course unless you know of something I don't know of a way to do it on pre-7.x PIX OS's since QoS wasn't included until 7.x (dummy QoS anyway)
Fair point.
However, I would 'suggest' that using your company's IT Security Policy (make it up if you have to), the user was advised that the traffic should be passed through the internal mail server to the outside rather than directly, this would be an acceptable condition. If there is a rogue-mailer of any form then this will still try to go via the default gateway and be blocked by the PIX. The access-list will show thousands of hits on the deny line identifying an issue that an be dealt with without having to have been unpleasant in any way.
If it is the user knowingly sending this number of mails then the Exchange/mail server records/logs will show it also.
However, I would 'suggest' that using your company's IT Security Policy (make it up if you have to), the user was advised that the traffic should be passed through the internal mail server to the outside rather than directly, this would be an acceptable condition. If there is a rogue-mailer of any form then this will still try to go via the default gateway and be blocked by the PIX. The access-list will show thousands of hits on the deny line identifying an issue that an be dealt with without having to have been unpleasant in any way.
If it is the user knowingly sending this number of mails then the Exchange/mail server records/logs will show it also.
To append to keith's policy idea as well about blocking port 25 at the pix. If you haven't already done so, set up a syslog server for the pix to log to. Although you can setup buffered logging on the pix, it only holds so much. This way the acl counters may show thousand's of hits, but the syslog server will actually be able to tell you which of your clients is causing the problem. I assume you already have something like this since you say you were able to track down the offender, but since you didn't state how you did I figured I'd throw this out there.
One thing to help in the fight to get this security policy past mgmt too is the fact that by allowing this behavior the likelihood of your IP being blacklisted goes up exponentially. And if this happens then email from your mail server might get blocked as well causing a very large business operational problem. Especially since it can take a while to get off of some blacklists.
One thing to help in the fight to get this security policy past mgmt too is the fact that by allowing this behavior the likelihood of your IP being blacklisted goes up exponentially. And if this happens then email from your mail server might get blocked as well causing a very large business operational problem. Especially since it can take a while to get off of some blacklists.
ASKER
She doesn't have a worm, and she's using the ISPs mail server only to send legitimate emails to thousands of people (via an opt-in mailing list) which crashes our connection. I have IOS 6.3
Three options then that spring to mind.
1. get her an adsl connection so she can do this seperately from the network.
2. Point her at the internal mail server so that it queues the traffic and handles it under control rather than the mail server trying to compete with her.
3. Upgrade your connection bandwidth. If its legitimate mail traffic
1. get her an adsl connection so she can do this seperately from the network.
2. Point her at the internal mail server so that it queues the traffic and handles it under control rather than the mail server trying to compete with her.
3. Upgrade your connection bandwidth. If its legitimate mail traffic
Personally I'd go for option number two of keith's. This way you can control it better and worry a little less about getting yourself on a blacklist. ISPs like AOL and Earthlink are especially really cracking down on this stuff.
But honestly going back to an earlier post of keith's just to refresh the memory, get a network usage/security policy in place so that atleast you have something backing up your actions instead of people thinking you're just doing stuff on a whim.
But honestly going back to an earlier post of keith's just to refresh the memory, get a network usage/security policy in place so that atleast you have something backing up your actions instead of people thinking you're just doing stuff on a whim.
hehehe, if the CEO knows his wife's actions may cause his company to lose business/revenue due to being blacklisted, he may sort it out himself of course!! :)
The PIX is the place to place this rule.
Hope this helps
Barny