?
Solved

How to block all websites except for a few using Cisco ASA

Posted on 2011-05-04
14
Medium Priority
?
2,162 Views
Last Modified: 2012-05-11
Due to PCI compliance, I am not segmenting my point of sale computers onto their own LAN and must block all internet traffic except the traffic that is needed by the card holder data network. I have blocked all access except for a couple of specific IP's that are needed. My last concern is how do I allow windows updates and AV updates to occur? I am either going to use Norton 360 or Microsoft Security Essentials. Allowing the windows updates has proven quite difficult.

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 35694603
Is it possible for you to configure these machines to be managed and updated via WSUS server?  That server would then be the only system that would need to download the windows updates, and all workstations would get their updates from that server.

Also look into a program called "Fiddler" (www.fiddler2.com).  Its great for trying to determine what is actually being accessed so that you can permit the traffic.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35694833
I've been successful with an IOS router with this solution, never tried on ASA but the concept should work. Actually, I just tested and it works with ASA.
Setup a filter and filter server. Select WebSense and put in a bogus IP address.
Setup the filter to *not* filter specific web sites (use nslookup to get the IP address(s) of the websites, but filter all others.
Create no-filter rules for each web site/IP address you want to allow, check box to allow if server is unavailable
Set another rule to filter any any and un-check allow if server is unavailable
Since the filter server is a bogus address, it is never available and all "filtered" traffic is blocked, but all non-filtered traffic should be allowed.
0
 

Author Comment

by:JustinGSEIWI
ID: 35698039
gavving,

I cannot use WSUS. I have a WSUS server but it is on another LAN and the LAN my POS systems are on is segmented. They two LAN's are not allowed to communicate with each other.

Irmoore,

I am not sure what you mean.I still don't know what to do.

Below is the PCI compliance statements that I am following to do this. I don't think I am reading these out of context but let me know if you think otherwise.

"

1.2
Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
1.2.1
(a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment, and are the restrictions documented?
(b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
1.2.3
Are perimeter firewalls installed between any wireless networks and the cardholder data environment, and are these firewalls configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment?
1.3
Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment, as follows:
1.3.3
Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
1.3.5
Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?

"
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 9

Accepted Solution

by:
gavving earned 2000 total points
ID: 35699344
The path the lrmoore indicated could possibly work.  The downside of it is that you have to resolve all of the sites that are going to be accessed back to IP numbers and explicitly allow those IP numbers.  Many websites use load balancing techniques which can cause the IP numbers of the websites to change, thus breaking the solution.  

Another alternative is to setup URL filtering on the ASA using this solution:
https://supportforums.cisco.com/docs/DOC-1268
(I believe this feature requires code 8.2 or higher)

But you would still need to establish all of the URLs accessed by the systems that you want to allow.  I would load the Fiddler program I mentioned above to collect that information.
0
 

Author Comment

by:JustinGSEIWI
ID: 35737764
I talked with Cisco and the link you posted won't work for me because I need to allow some https traffic. In either case, I am still stuck trying to figure out the best way to allow windows updates and AV updates while blocking everything else.

Thanks,

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35737961
How many stores do you have to do this for? Is it just one location?

You could add a 3rd party web content filter such as the iPrism
http://www.edgewave.com/products/web_security/default.asp
It goes in-line between the LAN and the gateway so there is no way to bypass it.

I work with a retailer with 28+ stores and we used Cisco 1811 routers and just passed a PCI audit with flying colors. These are small stores with POS system on one LAN (VLAN), Video surveillance on another, PC's on another and an environmental control system on another. All syslogs get sent to a managed IPS device provided by a 3rd party. Everything else is using basic Cisco IOS with encryption back to corporate.
I just can't do the same things with an ASA that we can do with a full IOS based router.
0
 

Author Comment

by:JustinGSEIWI
ID: 35737993
I am really trying to do this with the ASA to keep costs down. I am also checking other sources to see what my options are. I have five sites I need to do this at. With the content filter, will that work with blocking ports other then 80? I need to basically block all traffic and just allow a couple things though. Not sure if a web content filter will block all other ports that need blocking.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35738248
The content filter will allow you to create "white lists" of the only allowable sites.
This partcular appliance also has a remote client that you can install on the PC's at remote sites that enforces the policy "in the cloud".

Otherwise, just create an allow access-list using all the IP addresses you can find for update.microsoft.com, www.update.microsoft.com, update.symantec.com, etc.

0
 
LVL 9

Assisted Solution

by:gavving
gavving earned 2000 total points
ID: 35746143
The only way you're going to be able to filter HTTPS traffic by hostname/domain name is to have a proxy filter type device in place.  All other networking equipment will not be able to decode the HTTPS traffic to filter by URL.   But the flip side of that is that each HTTPS url will normally resolve to a specific IP or a set of IPs.  You can allow HTTPS traffic to those IPs specifically and filter all HTTP traffic using URLs with the instructions I provided above on the ASA.  

You could use a VPN to connect all the sites together, and then place the proxy server at one specific site.  Configure all the workstations to point to that proxy server thru the VPN.  That would minimize the amount of equipment you'd have to deploy.  You could also deploy WSUS this way and centralized antivirus and remove the requirement for the POS systems to access the internet all together.

0
 

Author Comment

by:JustinGSEIWI
ID: 35749571
So far I am thinking your recommendation of allowing http and https traffic via IP address filtering is the best method. I am unable to connect the sites with the VPN because to fill out SAQ C, each site cannot be connected to the other store. The only thing I have left to figure out is how I am going to remotely support these machines and still allow AV and windows updates. I am talking to a consultant to determine exactly what I need to be doing with this. To block all outgoing traffic and only allow windows updates and AV is very difficult to do because of how many IP's their are. I'll wait to see if the consultant has an easier way to do this.

Thanks for the help.

Justin
0
 

Author Comment

by:JustinGSEIWI
ID: 35915800
Please make the two comments below the correct answers.

Thanks,

Justin

35746143
35699344
0
 
LVL 33

Expert Comment

by:digitap
ID: 35915799
I've requested that this question be closed as follows:

Accepted answer: 250 points for lrmoore's comment http:/Q_27018723.html#35738248
Assisted answer: 250 points for gavving's comment http:/Q_27018723.html#35746143

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question