cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2577
Views
5
Helpful
32
Replies

blocking AOL instant messenger with Cisco Pix 7.x

daviddtran
Level 1
Level 1

hi all,

I need to do the following:

nat (inside) 1 0 0

global (outside) 1 interface

access-list External permit icmp any any echo-reply

access-list External deny ip any any log

access-list Internal permit tcp any any eq 23

access-list Internal permit tcp any any eq 80

access-list Internal permit udp any any eq 53

access-group External in interface outside

access-group Internal in interface inside

Problem is that user on the inside use AOL instant messgenging via port 23 and

I would like to block them from using

AOL IM on port 23 but I also would like

to allow legitimate telnet to go through.

I do NOT want to block AOL destination IM

Server in the ACL. I want to be the Pix to be smart enough to be able to accomplish via application inspection.

I can do this rather easily with Checkpoint SmartDefense which is builtin

with Checkpoint firewall. I am migrating

over to Cisco Pix and I would like to do

the same thing.

Any ideas on how to do this? Thanks.

David

32 Replies 32

I'm confused I guess, but then I'm not an AIM user. AIM is not peer to peer is it? The client actually connects to something on port 23...what is it connecting to? Surely the AOL servers don't support connections on every port? If it's not the AOL server, then doesn't it have to be either a proxy or a device the forwards connections to the AOL servers on the supported ports? I suppose I'm just naive with it comes to this client.

In any event, it does not matter. The pix DOES definitely support deep packet inspection for specific protocols, including HTTP. If you know the regex you want to block, then create it and the commands I suggested earlier will work. You just can't use the default regex supplied by Cisco.

You're wrong. I can get the AOL client to

connect on port 23, 80, 443, 25, etc... therefore, the AOL servers can accept just about

every ports. BTW, the client is actually

connecting on port 23

Pix may do deep packet inspection for http but

not for every other protocols as evidence in

my test with port 23.

Do you know the regex for telnet port 23 to

block AOL IM?

David

Are you using the pro client perhaps? I tried it and indeed it allows changing the port and configuring a proxy. I got a trace and this does not look like HTTP though. I think we're finally on the same page....you're SOL. Does it look like HTTP in your trace? I don't think the Pix can generically inspect tcp sessions using regex matching.

here is the tcpdump on the External interface

of the Checkpoint firewall. As you can see,

it connects via port 23 and dns udp port 53

for resolution. Yes, there are some port 80

but it is because when you connect with AOL,

it opens the browser and send advertisement

over port 80 but the actual communication is

going through port 23.

No I am not using AOL pro client, just

standard free version of AOL. Nothing special. Look at the tcpdump below on the

checkpoint:

dca2-Nokia-1-P[admin]# tcpdump -i eth3 -n not host 224.0.0.18 and host 217.200.1.125

tcpdump: listening on eth3

22:06:34.314049 O 217.200.1.125.10261 > 129.174.1.8.53: 10953+ (37)

22:06:34.319854 I 129.174.1.8.53 > 217.200.1.125.10261: 10953 2/3/3 (219) (DF)

22:06:34.343954 O 217.200.1.125.10557 > 64.12.161.153.23: S 3777049618:3777049618(0) win 65535 (DF)

22:06:34.350832 I 64.12.161.153.23 > 217.200.1.125.10557: S 857085545:857085545(0) ack 3777049619 win 16384 (DF)

22:06:34.351625 O 217.200.1.125.10557 > 64.12.161.153.23: . ack 1 win 65535 (DF)

22:06:34.357983 I 64.12.161.153.23 > 217.200.1.125.10557: P 1:11(10) ack 1 win 16384 (DF)

22:06:34.358671 O 217.200.1.125.10557 > 64.12.161.153.23: P 1:11(10) ack 11 win 65525 (DF)

checkout the tcpdump on the checkpoint firewall:

David

It's the payload that matters. If it isn't normal HTTP running on port 23, then I don't think the PIX will be able to do "deep inspection". In the AIM pro client I'm using, when you configure a proxy it uses normal HTTP...when you don't it does not.

when I or anyone use AOL, I do not use http

proxy because telnet (port 23) is allowed

outbound. Because of that, users can

configure AOL IM client to use port 23,

masquerading as telnet port, to connect to AOL

Servers. AOL servers will accept just about

any tcp ports. BTW, I don't have proxy in my

lab environment. And why even bother when I

can configure aol im client to traverse via

port 23.

I think this is where the difference between

Checkpoint and Pix. Checkpoint Smartdefense

can detect that the AOL IM client is using

tcp port 23 or any other tcp ports for

connectivities while Cisco Pix can not do that

except when users traverse with http port.

David

ccie security

On my network, nothing is allowed out from clients unless it's proxied. The point I was trying to make is that HTTP is only used if a proxy is selected. Otherwise, the client appears to use a proprietary protocol called OSCAR (http://en.wikipedia.org/wiki/OSCAR_protocol). Based on what I see in the AIM Pro client, this may be correct.

If AIM used normal HTTP and just a different port (say 23 or 25) then the Pix could do deep packet inspection and could be configured to block access based on things like URL, HTTP headers, POST arguments, etc. The port is irrelevant, what matters is the application protocol. If it does not use HTTP(or one of the other supported inspections in the Pix), I don't think the Pix can do anything other than block based on IP address. Perhaps Checkpoint has an inspection engine for the Oscar protocol?

I would recommend getting a full trace of the client and viewing in Wireshark. Try decoding as HTTP.

The steps Bryan showed are correct but there is a bug with version 7.2 and http inspections. You have to make sure "protocol violations" is set to log only and inspection set to drop connection. If you dont set to "log only", it will drop things like activex and some other things passing through http.

sadly, it did not help me because as I've said

before, AOL can masquerading as telnet or smtp

ports so http inspection is useless to me since

AOL App does not have to use http port. Anyway,

I decide to stick with the Checkpoint firewall.

Thanks everyone.

David

AIM != HTTP.

Do you have that bug ID or that case number?

Bryan

Do you have that bug ID or case number?

Bryan

Hi Bryan,

I do not have a case TAC case # for this.

I did ask this question to one of Cisco

Engineers when he comes our facility to train

our Network Operations folks for FWSM and

Pix 7.x. He told me that he is looking into

it and got back to me but I've not heard from

him since.

Were you able to test this as well?

David

David,

The default AIM inspection, set up like I recommended, works for just about everyone. My collegues here use my template with success. I've never paid attention to the version number before. It does sound like buggy behaviour now that I think about it. Cisconoobie posted that he opened a TAC case and the engineer told him that this was a bug in 7.2. I was asking if he could furnish me with that TAC case number or bug ID.

Bryan

Review Cisco Networking for a $25 gift card