11-08-2004 06:17 AM - edited 02-20-2020 11:44 PM
Can the PIX only filter by IP address without the help of a 3rd party product ?
For example, if I want to put a filter/access-list rule in place to prevent access to www.pornsite.com, but allow access to www.business_content.com, this does not seem possible in the PIX - while this feature is in all of the competitions products - firewall does DNS lookup, prevents or denies access to URL based on URL name in ACL.
Filtering strictly by destintion IP address is not viable - and not always workable if the destination is a "Virtual server" ,or has hundreds of resolvable addresses (take yahoo for example).
Are there and open-source alternaitves to N2H2 or
websense ?
I'm interested in creating a small outbound "White List" of limited sites that our remote offices are authorized to access, not managing the entire Internet !
I suppose I could prevent access to DNS servers, and create a"HOSTS" file that only contained authorized sites, but that's really only securty through obsecurity, and not a real solution !
Any suggestions appreciated, without the need to put
in more hardware and run a squid proxy to do the job the PIX should be able to do on it's own !
11-08-2004 08:06 PM
Q. Can the PIX only filter by IP address without the help of a 3rd party product ?
A. That is correct. As you know, there is no support in the PIX to allow you to add DNS names to an access-list. We are adding DNS support to the PIX 7.0 but at this time (as far as I know), the DNS name resolution will not be available for access-list use. It will be available to applications within the PIX such as TFTP, etc...
If this is a feature you would like to see in the PIX, I would suggest you talk to your local Cisco account team and ask them to raise an enhancement request on your behalf.
Sorry for the news.
Scott
11-08-2004 08:10 PM
**I hit Post too soon**
One more thought is that DNS maniupuation is a rather trivial task. I am not sure how comfortable I would be in basing my rules on DNS names that someone could rather easily spoof and traverse the rules I put in place.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide