Restricting access to Peer-to-peer, msn with ASA 5510 ?

blackswans · ‎03-16-2007

hi,

how to access to the ASA's embedded IPS gui page? And how to restrict access to the MSN peer to peer applications? thanks...

edwakim · ‎03-19-2007

Hi,

You can access it via ASDM or IDM.

To use IDM, just point your browser to

https://

Thank you.

Edward

blackswans · ‎03-19-2007

If we dont have AIP cant we do this ?

edwakim · ‎03-20-2007

I'm sorry I'm not sure if I understand your question correctly.

No, if you don't have AIP module, then you can't use ASDM's IPS link nor IDM.

Edward

blackswans · ‎03-20-2007

ok here is the question :

I have ASA 5510 and it doesnt have an AIP module. I want to stop users using chat (msn etc.) and peer to peer file sharing (kazaa etc.) programs. can I do it without the AIP module?

norriscr1 · ‎03-21-2007

You can but you're not going to like the answer. Without the benefit of IDS signatures which can recognize any chat/p2p that is NOT ecrypted you can really only choose to block the destination IPs for those clients.

I tried this years ago. I setup a PC and installed MSN, Yahoo, AOL, ICQ, and every other chat client, as well as Limewire, Gnutella, Morpheus... and so on with the P2P clients.

In the end I gave up because most of these clients don't use a static TCP port and some connect to dozens of IPs. I think I was up to 130+ IPs and some things were still getting through.

Signatures are the only way to go if you can't lockdown the workstations and restrict those clients from running. We do that here because even with IDS some of those clients are moving to some form of SSL which makes the IDS not as effective.

gabrielbryson · ‎03-23-2007

With the ASA ver 7.2 you can quiet easily stop Messaging in the default service policy, there is a IM tab in the protocol inspection and it will prevent MSN and Yahoo chat.

norriscr1 · ‎03-23-2007

Has anyone tried this successfully?

I can see it working for a while, but if the IM services change their login server or URL information then your going to be constantly rewriting the class maps.

I'm also certain it won't work for SSl encrypted chat as there's no way to inspect encrypted. traffic.

I'd love for this to be as easy as clicking a button but past experience has been otherwise.

gabrielbryson · ‎03-24-2007

I Had the same experience with earlier version 7.0 where I had the same results, first attempt MSN blocked but second worked as it shifted its port numbers, but with V7.2 it works well and have it running on various customet sites.

I agree you mught have a problem with encrypted traffic though.

norriscr1 · ‎03-27-2007

Hmmm maybe we'll have to try this.

At least it can handle MSN & YahooIM. We'll have to take other measures for AOL, Meebo, etc. Some of those get squashed by our web filter.

Until we get an SSL proxy solution in the SSL stuff like Google Chat is going to be a challenge.