How to block all websites except for a few using Cisco ASA

Due to PCI compliance, I am not segmenting my point of sale computers onto their own LAN and must block all internet traffic except the traffic that is needed by the card holder data network. I have blocked all access except for a couple of specific IP's that are needed. My last concern is how do I allow windows updates and AV updates to occur? I am either going to use Norton 360 or Microsoft Security Essentials. Allowing the windows updates has proven quite difficult.

Thanks,

Justin
JustinGSEIWIAsked:
Who is Participating?
 
gavvingCommented:
The path the lrmoore indicated could possibly work.  The downside of it is that you have to resolve all of the sites that are going to be accessed back to IP numbers and explicitly allow those IP numbers.  Many websites use load balancing techniques which can cause the IP numbers of the websites to change, thus breaking the solution.  

Another alternative is to setup URL filtering on the ASA using this solution:
https://supportforums.cisco.com/docs/DOC-1268
(I believe this feature requires code 8.2 or higher)

But you would still need to establish all of the URLs accessed by the systems that you want to allow.  I would load the Fiddler program I mentioned above to collect that information.
0
 
gavvingCommented:
Is it possible for you to configure these machines to be managed and updated via WSUS server?  That server would then be the only system that would need to download the windows updates, and all workstations would get their updates from that server.

Also look into a program called "Fiddler" (www.fiddler2.com).  Its great for trying to determine what is actually being accessed so that you can permit the traffic.  
0
 
lrmooreCommented:
I've been successful with an IOS router with this solution, never tried on ASA but the concept should work. Actually, I just tested and it works with ASA.
Setup a filter and filter server. Select WebSense and put in a bogus IP address.
Setup the filter to *not* filter specific web sites (use nslookup to get the IP address(s) of the websites, but filter all others.
Create no-filter rules for each web site/IP address you want to allow, check box to allow if server is unavailable
Set another rule to filter any any and un-check allow if server is unavailable
Since the filter server is a bogus address, it is never available and all "filtered" traffic is blocked, but all non-filtered traffic should be allowed.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
JustinGSEIWIAuthor Commented:
gavving,

I cannot use WSUS. I have a WSUS server but it is on another LAN and the LAN my POS systems are on is segmented. They two LAN's are not allowed to communicate with each other.

Irmoore,

I am not sure what you mean.I still don't know what to do.

Below is the PCI compliance statements that I am following to do this. I don't think I am reading these out of context but let me know if you think otherwise.

"

1.2
Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
1.2.1
(a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment, and are the restrictions documented?
(b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
1.2.3
Are perimeter firewalls installed between any wireless networks and the cardholder data environment, and are these firewalls configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment?
1.3
Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment, as follows:
1.3.3
Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
1.3.5
Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?

"
0
 
JustinGSEIWIAuthor Commented:
I talked with Cisco and the link you posted won't work for me because I need to allow some https traffic. In either case, I am still stuck trying to figure out the best way to allow windows updates and AV updates while blocking everything else.

Thanks,

Justin
0
 
lrmooreCommented:
How many stores do you have to do this for? Is it just one location?

You could add a 3rd party web content filter such as the iPrism
http://www.edgewave.com/products/web_security/default.asp
It goes in-line between the LAN and the gateway so there is no way to bypass it.

I work with a retailer with 28+ stores and we used Cisco 1811 routers and just passed a PCI audit with flying colors. These are small stores with POS system on one LAN (VLAN), Video surveillance on another, PC's on another and an environmental control system on another. All syslogs get sent to a managed IPS device provided by a 3rd party. Everything else is using basic Cisco IOS with encryption back to corporate.
I just can't do the same things with an ASA that we can do with a full IOS based router.
0
 
JustinGSEIWIAuthor Commented:
I am really trying to do this with the ASA to keep costs down. I am also checking other sources to see what my options are. I have five sites I need to do this at. With the content filter, will that work with blocking ports other then 80? I need to basically block all traffic and just allow a couple things though. Not sure if a web content filter will block all other ports that need blocking.
0
 
lrmooreCommented:
The content filter will allow you to create "white lists" of the only allowable sites.
This partcular appliance also has a remote client that you can install on the PC's at remote sites that enforces the policy "in the cloud".

Otherwise, just create an allow access-list using all the IP addresses you can find for update.microsoft.com, www.update.microsoft.com, update.symantec.com, etc.

0
 
gavvingCommented:
The only way you're going to be able to filter HTTPS traffic by hostname/domain name is to have a proxy filter type device in place.  All other networking equipment will not be able to decode the HTTPS traffic to filter by URL.   But the flip side of that is that each HTTPS url will normally resolve to a specific IP or a set of IPs.  You can allow HTTPS traffic to those IPs specifically and filter all HTTP traffic using URLs with the instructions I provided above on the ASA.  

You could use a VPN to connect all the sites together, and then place the proxy server at one specific site.  Configure all the workstations to point to that proxy server thru the VPN.  That would minimize the amount of equipment you'd have to deploy.  You could also deploy WSUS this way and centralized antivirus and remove the requirement for the POS systems to access the internet all together.

0
 
JustinGSEIWIAuthor Commented:
So far I am thinking your recommendation of allowing http and https traffic via IP address filtering is the best method. I am unable to connect the sites with the VPN because to fill out SAQ C, each site cannot be connected to the other store. The only thing I have left to figure out is how I am going to remotely support these machines and still allow AV and windows updates. I am talking to a consultant to determine exactly what I need to be doing with this. To block all outgoing traffic and only allow windows updates and AV is very difficult to do because of how many IP's their are. I'll wait to see if the consultant has an easier way to do this.

Thanks for the help.

Justin
0
 
JustinGSEIWIAuthor Commented:
Please make the two comments below the correct answers.

Thanks,

Justin

35746143
35699344
0
 
digitapCommented:
I've requested that this question be closed as follows:

Accepted answer: 250 points for lrmoore's comment http:/Q_27018723.html#35738248
Assisted answer: 250 points for gavving's comment http:/Q_27018723.html#35746143

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.