Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
2
Replies

PIX - URL and SITE FILTERING ALTRNATIVES

scotthale
Level 1
Level 1

‎11-08-2004 06:17 AM - edited ‎02-20-2020 11:44 PM

Can the PIX only filter by IP address without the help of a 3rd party product ?

For example, if I want to put a filter/access-list rule in place to prevent access to www.pornsite.com, but allow access to www.business_content.com, this does not seem possible in the PIX - while this feature is in all of the competitions products - firewall does DNS lookup, prevents or denies access to URL based on URL name in ACL.

Filtering strictly by destintion IP address is not viable - and not always workable if the destination is a "Virtual server" ,or has hundreds of resolvable addresses (take yahoo for example).

Are there and open-source alternaitves to N2H2 or

websense ?

I'm interested in creating a small outbound "White List" of limited sites that our remote offices are authorized to access, not managing the entire Internet !

I suppose I could prevent access to DNS servers, and create a"HOSTS" file that only contained authorized sites, but that's really only securty through obsecurity, and not a real solution !

Any suggestions appreciated, without the need to put

in more hardware and run a squid proxy to do the job the PIX should be able to do on it's own !

0 Helpful
2 Replies 2

scoclayton
Level 7
Level 7

‎11-08-2004 08:06 PM

Q. Can the PIX only filter by IP address without the help of a 3rd party product ?

A. That is correct. As you know, there is no support in the PIX to allow you to add DNS names to an access-list. We are adding DNS support to the PIX 7.0 but at this time (as far as I know), the DNS name resolution will not be available for access-list use. It will be available to applications within the PIX such as TFTP, etc...

If this is a feature you would like to see in the PIX, I would suggest you talk to your local Cisco account team and ask them to raise an enhancement request on your behalf.

Sorry for the news.

Scott

0 Helpful

scoclayton
Level 7
Level 7

‎11-08-2004 08:10 PM

**I hit Post too soon**

One more thought is that DNS maniupuation is a rather trivial task. I am not sure how comfortable I would be in basing my rules on DNS names that someone could rather easily spoof and traverse the rules I put in place.

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card