partners1998
asked on
How to implement access lists based on host names on a Cisco PIX 515E
We have a Cisco PIX 515E running 7.2(3). We block all traffic from the inside interface to the outside interface unless explicitly allowed by an access-list entry. We need to allow all Windows servers to access Microsoft's Windows Server Update Service (WSUS) servers. It seems somewhat impractical to do this by IP, as there are many IPs and they seem to be growing and changing. Is there any way that we can permit access over both port 80 and 443 to the following hostnames:
windowsupdate.microsoft.co m
*.windowsupdate.microsoft. com
*.windowsupdate.microsoft. com
*.update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.c om
wustat.windows.com
ntservicepack.microsoft.co m
We tried using URL filtering, but that does not seem to work for SSL connections. Microsoft's generic configuration instructions are here: http://technet.microsoft.com/en-us/library/cc708602(WS.10).aspx
Thanks.
windowsupdate.microsoft.co
*.windowsupdate.microsoft.
*.windowsupdate.microsoft.
*.update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.c
wustat.windows.com
ntservicepack.microsoft.co
We tried using URL filtering, but that does not seem to work for SSL connections. Microsoft's generic configuration instructions are here: http://technet.microsoft.com/en-us/library/cc708602(WS.10).aspx
Thanks.
ASKER
The PIX seems to support URL filtering (see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml) - but this did not work with SSL connections.
Yep, but (and I am NOT being sarcastic) how did you implement it?
Because this is what I read:
-snip-
You can filter connection requests that originate from a more secure network to a less secure network. Although you can use access control lists (ACLs) in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance with the use of a separate server that runs one of these Internet filtering products:
Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.
Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.
-snip-
And as you can see in the network diagram they are using a URL filtering server.
I am coming down with the flue, so perhaps I overlooked something. Do correct me if I'm wrong.
Because this is what I read:
-snip-
You can filter connection requests that originate from a more secure network to a less secure network. Although you can use access control lists (ACLs) in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance with the use of a separate server that runs one of these Internet filtering products:
Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.
Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.
-snip-
And as you can see in the network diagram they are using a URL filtering server.
I am coming down with the flue, so perhaps I overlooked something. Do correct me if I'm wrong.
ASKER
Yes, sorry, that is not the Cisco URL I intended to include. The Cisco URL I meant to use is:
http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354
Specifically, I followed the instructions and examples in the "Configuring an HTTP Inspection Policy Map for Additional Inspection Control" section which does not use an external filter but uses a policy map.
There is another example here:
http://www.velocityreviews.com/forums/t537122-asa-http-inspection-and-url-filtering.html
http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354
Specifically, I followed the instructions and examples in the "Configuring an HTTP Inspection Policy Map for Additional Inspection Control" section which does not use an external filter but uses a policy map.
There is another example here:
http://www.velocityreviews.com/forums/t537122-asa-http-inspection-and-url-filtering.html
Hi, not sure if you haven't allready fixed this but anyway.
Did you try using regular expressions?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
Did you try using regular expressions?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
ASKER
Thanks for the input... we already tried regular expressions, but they do not work for SSL connections.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We actually use GFI Max, which uses the GFI Languard software to manage updates. It requires outbound connections to Microsoft's update servers. Unfortunately the solution for now seems to be just allowing all outbound 80 and 443 to the class C's where the update servers are located - blech.
Well you could use the regex for the http traffic. Then there's only the https left.
(asa little less blech :)
(asa little less blech :)
Did I just say asa ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So the answer to your question is that it isn't possible (as in: 35199310).
Therefor the question has been answered, though it isn't the answer you would like to get.
I'd like to ask you to reconsider.
Therefor the question has been answered, though it isn't the answer you would like to get.
I'd like to ask you to reconsider.
For more granular enforcement of outbound policy, you will need a 3rd party product that can work as a proxy server, or as a URL filter (like N2H2 or Websense).