PIX - express ACL entries as a URL ?

scotthale · ‎05-27-2004

On most competitors deivces, you can express an ACL entry as a URL in addition to expressing it as an IP address, and have the URL entry resolved via DNS (on the firewall).

For example, if I want to permit access to FTP.NAI.COM, which has 4 possible destination servers, I don't need to determine all the possible destination IP addresses of the hosts - I just put the resolvable URL name in the ACL.

Can the PIX do this, or is it limited to IP Addresses in ACL's?

Thanks,

Scott

mostiguy · ‎05-27-2004

It is limited to IP addresses

scotthale · ‎05-27-2004

So, do you know if they have any plans to enhance the ACL feature to include URL's ?

Scott

jmia · ‎05-27-2004

Scott,

I heard rumours that pix ios v7.0 might have some sort of URL filtering capablities BUT not 100% on that. I suppose if any of the Cisco guys are reading this could shed some light on this rumour!!

Jay

scoclayton · ‎05-27-2004

PIX 7.0 will not have any new functionality with respect to the scenerio above. We are adding DNS resolution to PIX 7.0 but you will still not be able to use this with ACL's. The main reason for this is that DNS resolution is one of the more easy things to spoof to circumvent security. Let's say I add an ACL to only allow packets into my network sourced from mail.cisco.com. I happen to know that you have your firewall set to resolve mail.cisco.com via a known DNS server. So, as soon as I send my first packet to your internal host, I send another packet that looks like a DNS response from your DNS server that resolves mail.cisco.com to my hacker IP address. Bang, I am in...and it was pretty easy to do.

Hope this helps explain the stance on this a little. No plans to add the functoinality as described above anytime soon.

Scott

jmia · ‎05-27-2004

Scott,

Only IP addresses, NO URL!!!

Jay