Solved

How to implement access lists based on host names on a Cisco PIX 515E

Posted on 2010-11-25
14
1,100 Views
Last Modified: 2012-06-27
We have a Cisco PIX 515E running 7.2(3). We block all traffic from the inside interface to the outside interface unless explicitly allowed by an access-list entry. We need to allow all Windows servers to access Microsoft's Windows Server Update Service (WSUS) servers. It seems somewhat impractical to do this by IP, as there are many IPs and they seem to be growing and changing. Is there any way that we can permit access over both port 80 and 443 to the following hostnames:

windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com

We tried using URL filtering, but that does not seem to work for SSL connections. Microsoft's generic configuration instructions are here: http://technet.microsoft.com/en-us/library/cc708602(WS.10).aspx

Thanks.
0
Comment
Question by:partners1998
  • 7
  • 5
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34214028
The pix can only block/permit by IP addresses and port numbers.

For more granular enforcement of outbound policy, you will need a 3rd party product that can work as a proxy server, or as a URL filter (like N2H2 or Websense).
0
 

Author Comment

by:partners1998
ID: 34214107
The PIX seems to support URL filtering (see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml) - but this did not work with SSL connections.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34214150
Yep, but (and I am NOT being sarcastic) how did you implement it?

Because this is what I read:

-snip-
You can filter connection requests that originate from a more secure network to a less secure network. Although you can use access control lists (ACLs) in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance with the use of a separate server that runs one of these Internet filtering products:

Websense Enterprise—filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.

Secure Computing SmartFilter, formerly known as N2H2—filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.
-snip-

And as you can see in the network diagram they are using a URL filtering server.

I am coming down with the flue, so perhaps I overlooked something. Do correct me if I'm wrong.
0
 

Author Comment

by:partners1998
ID: 34233406
Yes, sorry, that is not the Cisco URL I intended to include. The Cisco URL I meant to use is:

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354

Specifically, I followed the instructions and examples in the "Configuring an HTTP Inspection Policy Map for Additional Inspection Control" section which does not use an external filter but uses a policy map.

There is another example here:

http://www.velocityreviews.com/forums/t537122-asa-http-inspection-and-url-filtering.html
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35188268
Hi, not sure if you haven't allready fixed this but anyway.

Did you try using regular expressions?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
0
 

Author Comment

by:partners1998
ID: 35199118
Thanks for the input... we already tried regular expressions, but they do not work for SSL connections.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35199310
Mm you're right about that

HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic because, in HTTPS, the content of packet is encrypted (ssl).
Etc.

So it looks like at the moment there's no easy way to do this with just a PIX. Have you thought about setting up a WSUS server so you narrow the problem down to one machine? Perhaps putting that machine in a DMZ so from the inside you only have to allow traffic to your own WSUS server?

Just brainstorming here.
0
 

Author Comment

by:partners1998
ID: 35199642
We actually use GFI Max, which uses the GFI Languard software to manage updates. It requires outbound connections to Microsoft's update servers. Unfortunately the solution for now seems to be just allowing all outbound 80 and 443 to the class C's where the update servers are located - blech.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35200183
Well you could use the regex for the http traffic. Then there's only the https left.
(asa little less blech :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35200201
Did I just say asa ?
0
 

Assisted Solution

by:partners1998
partners1998 earned 0 total points
ID: 35517971
Sorry, the reason is that what I requested is just not possible.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35683091
So the answer to your question is that it isn't possible (as in: 35199310).
Therefor the question has been answered, though it isn't the answer you would like to get.

I'd like to ask you to reconsider.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now