Eprs_Admin
asked on
block https websites
Hi Experts,
in our company I have a cisco asa firewall with the csc module.
I can block https sites, like facebook.
But I am not able to block https sites, and this is a lack of security.
How to block https sites, like facebook ?
in our company I have a cisco asa firewall with the csc module.
I can block https sites, like facebook.
But I am not able to block https sites, and this is a lack of security.
How to block https sites, like facebook ?
http://www.mahalo.com/how-to-block-facebook/
The formentioned solutions only work with http, even when using regular expressions in the asa. https is not supported. As per Cisco: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).
What you can try is to just blackhole these sites in your internal corp DNS. Resolve them to 127.0.0.1
What you can try is to just blackhole these sites in your internal corp DNS. Resolve them to 127.0.0.1
HI,
If you deny the destination port of TCP/443 you able to block the all https sites on inside leg of the ASA!
Best regards,
Istvan
If you deny the destination port of TCP/443 you able to block the all https sites on inside leg of the ASA!
Best regards,
Istvan
ASKER
Hi PeteLong:
I have done this in the csc module.
I entered https://www.facebook.com to block.
And I entered the ip of facebook to block.
But nothing helped, when you goto facebook over https, it is working.
Maybe the module is not working correct.
Do you have another solution ?
I have done this in the csc module.
I entered https://www.facebook.com to block.
And I entered the ip of facebook to block.
But nothing helped, when you goto facebook over https, it is working.
Maybe the module is not working correct.
Do you have another solution ?
ASKER
I don't want to block all https ports.
I just want to block some websites with https.
I just want to block some websites with https.
ok in this case you need two way:
1. regex on the config
2. use CSC
or buy a third party device which is hande the http and https traffic control, like websense!
Best regards,
Istvan
1. regex on the config
2. use CSC
or buy a third party device which is hande the http and https traffic control, like websense!
Best regards,
Istvan
@ikalmar: you should know this, we had an issue like this before :)
Using regex (and CSC for that matter), you can only block http NOT https, like I posted earlier.
Sorry about that.
Using regex (and CSC for that matter), you can only block http NOT https, like I posted earlier.
Sorry about that.
ASKER
ok what kind of other possibilities I have ?
Well, the rude way is to just block port 443 but I think you don't want that.
So another option is to deploy a proxy like ISA, Forefront or have a look at something like Websense.
So another option is to deploy a proxy like ISA, Forefront or have a look at something like Websense.
ASKER
with my CSC module is it not possible ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.