Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
2
Replies

Using GWoLR with PIX to log non-proxyable traffic.

jcook
Level 1
Level 1

‎01-17-2005 09:55 AM - edited ‎02-20-2020 11:52 PM

Are there any published Best Practices that address the following requirement?: I would like to configure all routers in our network with a gateway of last resort to point to one routed network address to be used only for receiving traffic destined for non-routed protocols. This interface would then direct the traffic to an interface on the PIX to log and deny it.

The reason is to log any rogue traffic (virus, spyware) on the PIX.

Thanks in advance.

0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎01-19-2005 11:38 AM

I think you would be better using this approach:

1. On each router create an inbound acl on the lan interface that denys traffic to networks that you do not want your users to reach regardless of protocol. Place those entries first on the list.

2. In the inbound acl, add permit statements for ports/protocols that you want your users to access. There is an explicit deny statement at the end of each acl, but you can add an explicit deny with the log option to view some traffic patterns. For example you would allow access from subnet-ba to subnet-b for dns/wins queries, but you do not want to allow your users to reach internet dns servers.

This will allow each edge router to do the acl checking to implement security policies, and that is a cisco best-practice for traffic control. This allows the traffic to be stopped at the edge rather than wasting backbone bandwidth. Cisco routers can log to syslog hosts just like a pix can.

It is important not to overlook a firewall implementation on the end-host as well, since most viruses do connections on port 80 and 25. Port 25 is easy to block since you only want your mail gw to process smtp; blocking the pop and imap ports is another good idea. However with web-based mail using port 80, you can see that trying to limit the damage done by virues by using router/pix acl's can only take you so far.

Another idea is to restirct what the users can do on their workstations. For example may %systemdrive%:%systemroot% read and execute only except for admin groups. Place similar restrictions on the win registry, particularly the HKLM hive.

Let me know if this is of any help.

0 Helpful

jcook
Level 1
Level 1
In response to ehirsel

‎01-20-2005 05:37 AM

This seems like a lot of work since we are talking about 100's of routers and 1000's of clients. The intent is just to see what is "floating" around the network and being dropped. We already have a solid security framework in place. Thanks for your suggestions.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card