Re: Stoping Kaza and other P2P

arnis · ‎10-27-2005

Hi

I am wondering what are the best methods to stop Kaza and other P2P traffic, with a ASA or PIX v7

probably some access lists to block some known ports, but many applications use dynamic ports or even port 80

should I be able to use the aplication inspection features to stop that ?

can you give some examples of configurations you are using for this ?

Thanks

Patrick Iseli · ‎10-27-2005

I would go with a PIX but it depends on your needs.

Compare both Datasheets for performance and features.

Take a look at this Post:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd76d61

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7dfa1

PIX OS 7.0 is now able to determine if the http traffic on port 80 is really http and not any other hidden application.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70cmdref/index.htm

sincerely

Patrick

fzamora · ‎10-27-2005

I would go with the PIX Firewall, you can use the Application-Aware Inspection Services with the new code

check the configuration example below:

Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset log

pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse im action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

* pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy

pix(config)# service-policy inbound_policy interface outside

This ends up in the config as:

--------------------------------------------------------------------------

class-map http-port

match port tcp eq 80

class-map http-port8080

match port tcp eq 8080

…

http-map inbound_http

content-length min 100 max 2000 action reset log

content-type-verification match-req-rsp action reset log

max-header-length request 100 action reset log

max-uri-length 100 action reset log

port-misuse p2p action drop

port-misuse im action drop

port-misuse default action allow

…

policy-map inbound_policy

class http-port

inspect http inbound_http

class http-port8080

inspect http inbound_http

…

service-policy inbound_policy interface outside

If you notice, you can add more ports via class-maps which tie to the inbound_policy we

created to tie to the interface. I haven't tested this yet but you can set the

port-misuse default action to allow which we did above so you should be able to inspect

other ports that are being used without blocking anything that you're currently doing as

long as the P2P/IM headers aren't found in the packets.

Essentially this will cause the pix to block the IM/P2P applications while still allowing

normal traffic over port 80/8080.

also here is the link to PIX 7.0 and ASA CLI architecture. This should be a comprehensive

reference in configuring your 7.0 PIX at the CLI level.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186a0080485008.html

Franco Zamora

arnis · ‎11-04-2005

How about application that tunnel through HTTPS

like many of these are doing now, is there any way of stopping that ?

joneschw1 · ‎11-04-2005

You can also use NBAR and access-lists at the router level. This is fairly easy. There is a document on cisco's website about blocking those things.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml

As far as ASA vs PIX, the ASA runs 7.0 code, so I am not sure why a PIX would be preferred to the the ASA. I may be stirring up a hornets nest, but I get the impression that Cisco will be phasing out the PIX in favor of the ASA over time. I really don't see the reason to continue doing both since they would just be taking market share from each other.

JasonPia · ‎12-13-2005

It would be nice if it worked but it never has - see bug CSCsb41742

isomemberr · ‎12-13-2005

Hi, can this be done on ver 6.3.4 ?

thanks

Iso

JasonPia · ‎12-14-2005

No. This was one of the much trumpeted advances in v7.0 - so you really have to wonder why after all this time (9 months) it STILL doesn't work.

I probably sound a bit tetchy about this but if you sell an expensive product to a customer based on Cisco's spec and then it doesn't work it's not a happy experience to have (not to mention the time wasted trying to get it to work).

smebbin · ‎12-14-2005

Jason,

You are exactly right. Cisco has become the 800-pound gorilla in the Networking World. Cisco's latest business model reminds me of a company based in Redmond, Washington. It seems the Cisco Systems mantra is, "Release this product now so we can make Quarter whatever profit, we can always release a patch later". A good example of that what Cisco Works LMS 2.5. Unfortunately for people relying on the integrity of Cisco's product and hardware/software specifications... we get shafted. Cisco used to be a reputible company to work with and for, I feel sorry now for any 'tech' who works for Cisco now.