• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1140
  • Last Modified:

How to implement access lists based on host names on a Cisco PIX 515E

We have a Cisco PIX 515E running 7.2(3). We block all traffic from the inside interface to the outside interface unless explicitly allowed by an access-list entry. We need to allow all Windows servers to access Microsoft's Windows Server Update Service (WSUS) servers. It seems somewhat impractical to do this by IP, as there are many IPs and they seem to be growing and changing. Is there any way that we can permit access over both port 80 and 443 to the following hostnames:

windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com

We tried using URL filtering, but that does not seem to work for SSL connections. Microsoft's generic configuration instructions are here: http://technet.microsoft.com/en-us/library/cc708602(WS.10).aspx

Thanks.
0
partners1998
Asked:
partners1998
  • 7
  • 5
2 Solutions
 
Ernie BeekExpertCommented:
The pix can only block/permit by IP addresses and port numbers.

For more granular enforcement of outbound policy, you will need a 3rd party product that can work as a proxy server, or as a URL filter (like N2H2 or Websense).
0
 
partners1998Author Commented:
The PIX seems to support URL filtering (see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml) - but this did not work with SSL connections.
0
 
Ernie BeekExpertCommented:
Yep, but (and I am NOT being sarcastic) how did you implement it?

Because this is what I read:

-snip-
You can filter connection requests that originate from a more secure network to a less secure network. Although you can use access control lists (ACLs) in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance with the use of a separate server that runs one of these Internet filtering products:

Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.

Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.
-snip-

And as you can see in the network diagram they are using a URL filtering server.

I am coming down with the flue, so perhaps I overlooked something. Do correct me if I'm wrong.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
partners1998Author Commented:
Yes, sorry, that is not the Cisco URL I intended to include. The Cisco URL I meant to use is:

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354

Specifically, I followed the instructions and examples in the "Configuring an HTTP Inspection Policy Map for Additional Inspection Control" section which does not use an external filter but uses a policy map.

There is another example here:

http://www.velocityreviews.com/forums/t537122-asa-http-inspection-and-url-filtering.html
0
 
Ernie BeekExpertCommented:
Hi, not sure if you haven't allready fixed this but anyway.

Did you try using regular expressions?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
0
 
partners1998Author Commented:
Thanks for the input... we already tried regular expressions, but they do not work for SSL connections.
0
 
Ernie BeekExpertCommented:
Mm you're right about that

HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic because, in HTTPS, the content of packet is encrypted (ssl).
Etc.

So it looks like at the moment there's no easy way to do this with just a PIX. Have you thought about setting up a WSUS server so you narrow the problem down to one machine? Perhaps putting that machine in a DMZ so from the inside you only have to allow traffic to your own WSUS server?

Just brainstorming here.
0
 
partners1998Author Commented:
We actually use GFI Max, which uses the GFI Languard software to manage updates. It requires outbound connections to Microsoft's update servers. Unfortunately the solution for now seems to be just allowing all outbound 80 and 443 to the class C's where the update servers are located - blech.
0
 
Ernie BeekExpertCommented:
Well you could use the regex for the http traffic. Then there's only the https left.
(asa little less blech :)
0
 
Ernie BeekExpertCommented:
Did I just say asa ?
0
 
partners1998Author Commented:
Sorry, the reason is that what I requested is just not possible.
0
 
Ernie BeekExpertCommented:
So the answer to your question is that it isn't possible (as in: 35199310).
Therefor the question has been answered, though it isn't the answer you would like to get.

I'd like to ask you to reconsider.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now