Solved

How to implement access lists based on host names on a Cisco PIX 515E

Posted on 2010-11-25
14
1,104 Views
Last Modified: 2012-06-27
We have a Cisco PIX 515E running 7.2(3). We block all traffic from the inside interface to the outside interface unless explicitly allowed by an access-list entry. We need to allow all Windows servers to access Microsoft's Windows Server Update Service (WSUS) servers. It seems somewhat impractical to do this by IP, as there are many IPs and they seem to be growing and changing. Is there any way that we can permit access over both port 80 and 443 to the following hostnames:

windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com

We tried using URL filtering, but that does not seem to work for SSL connections. Microsoft's generic configuration instructions are here: http://technet.microsoft.com/en-us/library/cc708602(WS.10).aspx

Thanks.
0
Comment
Question by:partners1998
  • 7
  • 5
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34214028
The pix can only block/permit by IP addresses and port numbers.

For more granular enforcement of outbound policy, you will need a 3rd party product that can work as a proxy server, or as a URL filter (like N2H2 or Websense).
0
 

Author Comment

by:partners1998
ID: 34214107
The PIX seems to support URL filtering (see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml) - but this did not work with SSL connections.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34214150
Yep, but (and I am NOT being sarcastic) how did you implement it?

Because this is what I read:

-snip-
You can filter connection requests that originate from a more secure network to a less secure network. Although you can use access control lists (ACLs) in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance with the use of a separate server that runs one of these Internet filtering products:

Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.

Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.
-snip-

And as you can see in the network diagram they are using a URL filtering server.

I am coming down with the flue, so perhaps I overlooked something. Do correct me if I'm wrong.
0
 

Author Comment

by:partners1998
ID: 34233406
Yes, sorry, that is not the Cisco URL I intended to include. The Cisco URL I meant to use is:

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354

Specifically, I followed the instructions and examples in the "Configuring an HTTP Inspection Policy Map for Additional Inspection Control" section which does not use an external filter but uses a policy map.

There is another example here:

http://www.velocityreviews.com/forums/t537122-asa-http-inspection-and-url-filtering.html
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35188268
Hi, not sure if you haven't allready fixed this but anyway.

Did you try using regular expressions?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
0
 

Author Comment

by:partners1998
ID: 35199118
Thanks for the input... we already tried regular expressions, but they do not work for SSL connections.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35199310
Mm you're right about that

HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic because, in HTTPS, the content of packet is encrypted (ssl).
Etc.

So it looks like at the moment there's no easy way to do this with just a PIX. Have you thought about setting up a WSUS server so you narrow the problem down to one machine? Perhaps putting that machine in a DMZ so from the inside you only have to allow traffic to your own WSUS server?

Just brainstorming here.
0
 

Author Comment

by:partners1998
ID: 35199642
We actually use GFI Max, which uses the GFI Languard software to manage updates. It requires outbound connections to Microsoft's update servers. Unfortunately the solution for now seems to be just allowing all outbound 80 and 443 to the class C's where the update servers are located - blech.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35200183
Well you could use the regex for the http traffic. Then there's only the https left.
(asa little less blech :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35200201
Did I just say asa ?
0
 

Assisted Solution

by:partners1998
partners1998 earned 0 total points
ID: 35517971
Sorry, the reason is that what I requested is just not possible.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35683091
So the answer to your question is that it isn't possible (as in: 35199310).
Therefor the question has been answered, though it isn't the answer you would like to get.

I'd like to ask you to reconsider.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Quality settings for cisco routers 8 51
Cisco prime 3 34
Cisco Access Points AIR-AP1852I-E-K9 , use as mobility controller / Autonomous 3 39
Firmware for ISR4321 Router 6 28
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now