topic Re: blocking AOL instant messenger with Cisco Pix 7.x in Network Security

blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Mon, 11 Mar 2019 09:25:27 GMT

hi all,

I need to do the following:

nat (inside) 1 0 0

global (outside) 1 interface

access-list External permit icmp any any echo-reply

access-list External deny ip any any log

access-list Internal permit tcp any any eq 23

access-list Internal permit tcp any any eq 80

access-list Internal permit udp any any eq 53

access-group External in interface outside

access-group Internal in interface inside

Problem is that user on the inside use AOL instant messgenging via port 23 and

I would like to block them from using

AOL IM on port 23 but I also would like

to allow legitimate telnet to go through.

I do NOT want to block AOL destination IM

Server in the ACL. I want to be the Pix to be smart enough to be able to accomplish via application inspection.

I can do this rather easily with Checkpoint SmartDefense which is builtin

with Checkpoint firewall. I am migrating

over to Cisco Pix and I would like to do

the same thing.

Any ideas on how to do this? Thanks.

David

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Sun, 28 Jan 2007 07:56:51 GMT

I want EVERYONE from the Internal to be able to

telnet out to anywhere on the Internet with

regular telnet application. I do NOT want them

to masquerade port 23 with AOL IM application.

With Checkpoint SmartDefense, I can accomplish

this task in less than 10 seconds. I just

don't know how to do this with Cisco.

David

Re: blocking AOL instant messenger with Cisco Pix 7.x

zulqurnain — Sun, 04 Feb 2007 04:34:13 GMT

hello,

like you said that you want to block AOL IM using port 23 at the same time you want to allow legitimate telnet to go through. idea is if you know this legitimate IP's only who should be allowed then you can just edit your ACL

e.g.

access-list internal permit tcp ip host >legitimate IP< any eq 23

this will only allow them to access telnet through port 23 and all other users will be denied access using port 23.

HTH

please rate if helped

regrads

Re: blocking AOL instant messenger with Cisco Pix 7.x

bthibode — Sun, 04 Feb 2007 16:11:06 GMT

I'm glad the checkpoint can do this in 10 seconds. I can do it on the PIX/ASA in 9 🙂 Can you please let me know what version of sw your PIX is running? The solution depends on the version.

Bryan

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Sun, 04 Feb 2007 16:17:45 GMT

hi,

I am running version 7.2(2).

Re: blocking AOL instant messenger with Cisco Pix 7.x

bthibode — Mon, 05 Feb 2007 15:51:49 GMT

Ok, here we go. This is going to be done using ASDM.

Step 1: Launch ASDM

Step 2: Click on the Configuration button at the top of the page

Step 3: Click on the Security Policy button on the left.

Step 4: Click on the Service Policy Rules Tab

Step 5: If you don't have a Service Policy already, create one by clicking on the green plus sign next to the word Add. If you do already have a Service Policy, select the class (it should now be highlighted in blue), then click the green plus sign next to the work Add.

Step 6: Choose the Second Radio button - Global - applies to all interfaces, then click next

Step 7: Leave Create a new traffic class selected and put a check mark next to Default Inspection Traffic under Traffic match criteria and click next

Step 8: Select http and click next

Step 9: Select HTTP and click the configure button directly to the right of HTTP

Step 10: Select the 'Select a HTTP inspect map for fine control over inspection' radio button, then click on the Add button that is now activated

Step 11: On this screen, Give this new class a name. Then click the URI Filtering... button on the bottom right of the page

Step 12: click on Add

Step 13: In the drop down menu for regular Expression, select _default_aim-messenger

Step 14: Click ok

Step 15: Click ok

Step 16: Click ok

Step 17: Click ok

Step 18: Click finish

Step 19: Click Apply

This will set up your ASA to look for and block AIM. I know this might seem like a lot of steps, but like every GUI, once you get used to it, it really takes no time at all.

Bryan

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Mon, 05 Feb 2007 16:36:03 GMT

Bryan,

1) does it apply to both Pix and ASA or only ASA?

2) did you test it and you are able to block

AOL Instant Messenging from traversing port

23?

It seems to me that your instructions have to

do with blocking AOL IM via http port and not port 23.

Regards,

David

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Mon, 05 Feb 2007 17:11:47 GMT

Bryan,

I tried what you suggested and I still can use

AOL IM over port 23. The solution you provided

is for using AOL IM over http (aka port 80).

I am trying to block it over port 23.

anymore ideas?

Re: blocking AOL instant messenger with Cisco Pix 7.x

bthibode — Mon, 05 Feb 2007 17:12:55 GMT

1) This works on any platform running 7.2(2)

2) Have not tested with AIM on port 23 (forgot you mentioned that). To make sure that this catches AIM on all ports, please check match any instead of match default inspection traffic in step 7 of my instructions.

This should scan all prots for AIM.

Bryan

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Mon, 05 Feb 2007 19:58:21 GMT

Bryan,

The problem with this configuration is that

not only it drops my AOL IM over port 23 but it

also drops legitimate telnet application over

port 23. Worse, it also drops my ssh as well.

Any more ideas?

David

Re: blocking AOL instant messenger with Cisco Pix 7.x

bthibode — Mon, 05 Feb 2007 20:09:06 GMT

Wow, that was unexpected. Obviously, thats not how this regex is supposed to work. I find it strange that it would drop ssh. SSH is encrypted, so you can't read anything to block it anyways. Thats why attacks using ssh are almost impossible to stop. Does your config look like this:

class-map global-class

match any

policy-map type inspect http AIM

parameters

protocol-violation action drop-connection

match request uri regex _default_aim-messenger

drop-connection log

policy-map global-policy

class global-class

inspect http AIM

service-policy global-policy global

If you have a similair set-up and are still unable to block AIM, then I'm out of ideas. I really don't understand how telnet and ssh would be clocked by the ASA because of this regex, though. Do the blocks show up in your log as being blocked by your service-policy?

Bryan

Re: blocking AOL instant messenger with Cisco Pix 7.x

mhellman — Tue, 06 Feb 2007 19:51:31 GMT

I just started playing around with these settings myself and I must say, pretty impressive. They are a little less intuitive than they could be.

try the following..it worked for me:

1) Create a new HTTP inspect map.

click on 'inspect maps' then 'http'. Enter a name and description. click 'customize' and uncheck 'check for protocol violations'. click 'ok'. click 'URL filtering' then 'add' and select the provided _default_aim-messenger regex and click 'ok'. click 'ok' again. click 'add'. click 'apply'.

2) enable the new HTTP inspection on tcp port 23.

click on 'security policy'->'add'. click 'Next'. check 'tcp or udp destination port' and click next. select 'telnet' as the service and click next. check 'http' and click 'configure'. select the HTTP inspect map you just created from the list and click 'ok'. click 'finish'.

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Wed, 07 Feb 2007 02:33:26 GMT

class-map global-class

match port tcp eq telnet

policy-map type inspect http test

parameters

match request uri regex _default_aim-messenger

drop-connection log

policy-map global-policy

class global-class

inspect http test

service-policy global-policy global

It didn't work for me. I can still use AOL IM on telnet port. Can you post your config? I am running version 7.2(2). Thanks.

David

Re: blocking AOL instant messenger with Cisco Pix 7.x

mhellman — Wed, 07 Feb 2007 15:12:37 GMT

I tested that specific regex using a browser, not the actual AOL IM client, and it worked. The "_default_aim-messenger" regex does a case insensitive search for "http.proxy.icq.com". Do you know if that is correct? I would recommend getting a trace of the client and looking for that specific string in the URL.

I fired up an apache server on tcp port 23. When I connected with just http://www.server.com:23, the default page came up. When I connected with

http://www.server.com:23/http.proxy.icq.com I got a "page cannot be displayed" error. The request timed out and wasn't reset. It would be better if the Pix sent a reset, which is an option when configuring the inspection. I know it worked though because here is the log entry:

5 Feb 07 2007 09:05:49 415006 HTTP - matched request uri regex _default_aim-messenger in policy-map aim-messenger, URI matched - Dropping connection from inside:/15058 to outside:/23

I would guess that the default regex is not correct, or at least not when used as a URL filter(i.e. regex matches somewhere else in HTTP request). Get that trace and find out if/where http.proxy.icq.com shows up.

Re: blocking AOL instant messenger with Cisco Pix 7.x

mhellman — Wed, 07 Feb 2007 16:31:23 GMT

FWIW, I just fired up AOL 6.0 --you owe me big for installing this crap;-)

Nowhere during the login process did I see "http.proxy.icq.com". I suspect that regex is no longer correct. Is this person using an external http proxy running on port 23 or what?

In any event, AIM V6 appears to use HTTPS for authentication. You probably will have to use an ACL or proxy-based URL filtering to block that. Another alternative is to block the DNS lookups that occur. This probably won't work if the user is using an http proxy and not doing direct DNS lookups (get a trace!). I created a custom DNS inspection map that blocks the domain name kdc.uas.aol.com. The standard AIM V6 client no longer works.

4 Feb 07 2007 10:28:34 410003 DNS Classification: Dropped DNS request (id 36921) from inside:/1045 to outside:/53; matched Class 22: match domain-name regex aim_v6

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Wed, 07 Feb 2007 17:35:36 GMT

1) i am using AOL IM version 6.0.

I am NOT using any external http proxy, just

straight forward port 23.

Are you sure about it uses https for authentication because when I run tcpdump on

my checkpoint firewall, I did NOT see any https,

I only see port 23 and DNS udp port 53.

What you suggested will work but I do not want

to do that. It seems to me that Pix firewall

does not do "deep inspection" the way

checkpoint firewall does. As I've stated

earlier, I can do this with Checkpoint in 10

seconds. I don't want to deal with blocking

DNS because "smart" users know how to bypass

this security and hard-code the IP address

into AOL client (a few registries changes

is all it takes).

Thanks again for taking the time to go through

this exercise with me.

David

CCIE Security

Re: blocking AOL instant messenger with Cisco Pix 7.x

mhellman — Wed, 07 Feb 2007 18:53:17 GMT

I'm confused I guess, but then I'm not an AIM user. AIM is not peer to peer is it? The client actually connects to something on port 23...what is it connecting to? Surely the AOL servers don't support connections on every port? If it's not the AOL server, then doesn't it have to be either a proxy or a device the forwards connections to the AOL servers on the supported ports? I suppose I'm just naive with it comes to this client.

In any event, it does not matter. The pix DOES definitely support deep packet inspection for specific protocols, including HTTP. If you know the regex you want to block, then create it and the commands I suggested earlier will work. You just can't use the default regex supplied by Cisco.

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Wed, 07 Feb 2007 20:39:42 GMT

You're wrong. I can get the AOL client to

connect on port 23, 80, 443, 25, etc... therefore, the AOL servers can accept just about

every ports. BTW, the client is actually

connecting on port 23

Pix may do deep packet inspection for http but

not for every other protocols as evidence in

my test with port 23.

Do you know the regex for telnet port 23 to

block AOL IM?

David

Re: blocking AOL instant messenger with Cisco Pix 7.x

mhellman — Wed, 07 Feb 2007 21:49:13 GMT

Are you using the pro client perhaps? I tried it and indeed it allows changing the port and configuring a proxy. I got a trace and this does not look like HTTP though. I think we're finally on the same page....you're SOL. Does it look like HTTP in your trace? I don't think the Pix can generically inspect tcp sessions using regex matching.

Re: blocking AOL instant messenger with Cisco Pix 7.x

daviddtran — Wed, 07 Feb 2007 22:13:10 GMT

here is the tcpdump on the External interface

of the Checkpoint firewall. As you can see,

it connects via port 23 and dns udp port 53

for resolution. Yes, there are some port 80

but it is because when you connect with AOL,

it opens the browser and send advertisement

over port 80 but the actual communication is

going through port 23.

No I am not using AOL pro client, just

standard free version of AOL. Nothing special. Look at the tcpdump below on the

checkpoint:

dca2-Nokia-1-P[admin]# tcpdump -i eth3 -n not host 224.0.0.18 and host 217.200.1.125

tcpdump: listening on eth3

22:06:34.314049 O 217.200.1.125.10261 > 129.174.1.8.53: 10953+ (37)

22:06:34.319854 I 129.174.1.8.53 > 217.200.1.125.10261: 10953 2/3/3 (219) (DF)

22:06:34.343954 O 217.200.1.125.10557 > 64.12.161.153.23: S 3777049618:3777049618(0) win 65535 (DF)

22:06:34.350832 I 64.12.161.153.23 > 217.200.1.125.10557: S 857085545:857085545(0) ack 3777049619 win 16384 (DF)

22:06:34.351625 O 217.200.1.125.10557 > 64.12.161.153.23: . ack 1 win 65535 (DF)

22:06:34.357983 I 64.12.161.153.23 > 217.200.1.125.10557: P 1:11(10) ack 1 win 16384 (DF)

22:06:34.358671 O 217.200.1.125.10557 > 64.12.161.153.23: P 1:11(10) ack 11 win 65525 (DF)