How to block all websites except for a few using Cisco ASA

Is it possible for you to configure these machines to be managed and updated via WSUS server?  That server would then be the only system that would need to download the windows updates, and all workstations would get their updates from that server.

Also look into a program called "Fiddler" (www.fiddler2.com).  Its great for trying to determine what is actually being accessed so that you can permit the traffic.  

I've been successful with an IOS router with this solution, never tried on ASA but the concept should work. Actually, I just tested and it works with ASA.
Setup a filter and filter server. Select WebSense and put in a bogus IP address.
Setup the filter to *not* filter specific web sites (use nslookup to get the IP address(s) of the websites, but filter all others.
Create no-filter rules for each web site/IP address you want to allow, check box to allow if server is unavailable
Set another rule to filter any any and un-check allow if server is unavailable
Since the filter server is a bogus address, it is never available and all "filtered" traffic is blocked, but all non-filtered traffic should be allowed.

gavving,

I cannot use WSUS. I have a WSUS server but it is on another LAN and the LAN my POS systems are on is segmented. They two LAN's are not allowed to communicate with each other.

Irmoore,

I am not sure what you mean.I still don't know what to do.

Below is the PCI compliance statements that I am following to do this. I don't think I am reading these out of context but let me know if you think otherwise.

"

1.2
Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
1.2.1
(a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment, and are the restrictions documented?
(b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
1.2.3
Are perimeter firewalls installed between any wireless networks and the cardholder data environment, and are these firewalls configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment?
1.3
Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment, as follows:
1.3.3
Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
1.3.5
Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?

"

I talked with Cisco and the link you posted won't work for me because I need to allow some https traffic. In either case, I am still stuck trying to figure out the best way to allow windows updates and AV updates while blocking everything else.

Thanks,

Justin

How many stores do you have to do this for? Is it just one location?

You could add a 3rd party web content filter such as the iPrism
http://www.edgewave.com/products/web_security/default.asp
It goes in-line between the LAN and the gateway so there is no way to bypass it.

I work with a retailer with 28+ stores and we used Cisco 1811 routers and just passed a PCI audit with flying colors. These are small stores with POS system on one LAN (VLAN), Video surveillance on another, PC's on another and an environmental control system on another. All syslogs get sent to a managed IPS device provided by a 3rd party. Everything else is using basic Cisco IOS with encryption back to corporate.
I just can't do the same things with an ASA that we can do with a full IOS based router.

I am really trying to do this with the ASA to keep costs down. I am also checking other sources to see what my options are. I have five sites I need to do this at. With the content filter, will that work with blocking ports other then 80? I need to basically block all traffic and just allow a couple things though. Not sure if a web content filter will block all other ports that need blocking.

The content filter will allow you to create "white lists" of the only allowable sites.
This partcular appliance also has a remote client that you can install on the PC's at remote sites that enforces the policy "in the cloud".

Otherwise, just create an allow access-list using all the IP addresses you can find for update.microsoft.com, www.update.microsoft.com, update.symantec.com, etc.

So far I am thinking your recommendation of allowing http and https traffic via IP address filtering is the best method. I am unable to connect the sites with the VPN because to fill out SAQ C, each site cannot be connected to the other store. The only thing I have left to figure out is how I am going to remotely support these machines and still allow AV and windows updates. I am talking to a consultant to determine exactly what I need to be doing with this. To block all outgoing traffic and only allow windows updates and AV is very difficult to do because of how many IP's their are. I'll wait to see if the consultant has an easier way to do this.

Thanks for the help.

Justin

Please make the two comments below the correct answers.

Thanks,

Justin

35746143
35699344

I've requested that this question be closed as follows:

Accepted answer: 250 points for lrmoore's comment http:/Q_27018723.html#35738248
Assisted answer: 250 points for gavving's comment http:/Q_27018723.html#35746143

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.