08-08-2008 05:13 AM - edited 03-11-2019 06:28 AM
Hello Guys,
I'm trying to block IM (MSN) traffic on a Cisco ASA5520 with Software Version 7.2(4)
The configuration which is provived in the following link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml
Its perfect to block IM traffic, the issue is that i could see that the MSN after been blocked, encapsulates himself in HTTP traffic using port 80 and therefore is able to establish the connection.
I guess i have to inspect HTTP traffic for something and discard that "something", i would like to have a litle help on how to acomplish this and if you guys think that making a rules to open every HTTP packet to see if there's an connection attemptive to MSN gets connected, isn't going to overload the ASA Hardware?
Thanks for everything
Nuno
08-08-2008 06:03 AM
One option would be to block NON-RFC traffic using the protocol-violation command, but this could block a lot of legitimate websites using non-standard code.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1867542
You could also use an IPS. You could also DNS black hole the MSN chat addresses and restrict users access to the local hosts file (very important if you use this technique).
However they could still use e-buddy :). So an IPS/Filtering web-proxy is always better.
Regards
Farrukh
08-08-2008 06:26 AM
Hello,
Yes, using an IPS/Filtering solution would be the ideal with the exception for the money :=)
So i need to cook with the ingredients that i have :-(
In Attach i'm sending a simple capture of one packet only where you can see the MSN encapsulate.
I was thinking about making a policy to inspect HTTP and then appy a rule where using a REGEX matching MSN -> connections drop.
Do you guys think this is possible to be accomplished?
08-08-2008 06:52 AM
I would rather block using the 'host' portion of the packet, have a look at this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
Something along the lines of:
match request header host regex ...
Regards
Farrukh
08-08-2008 06:56 AM
Do you think that this will have a huge impact on the machine processing ?
08-08-2008 07:08 AM
This would depend on which model you have and the amount of such traffic. If this becomes too much of a performance issue, just use 'DNS' to block MSN (as mentioned in my previous posts).
Regards
Farrukh
08-08-2008 07:16 AM
I tested this blocking MSN - and saw the encapsulation of http then it was working again. So I also configured to URL Domain list block on the specific URL domains that MSN uses...
hotmail.com
live.com
mail.com
live.mail.com
Works a treat
HTH>
08-08-2008 07:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide