PIX|Web Sense and chat programs

rmears · ‎06-07-2002

Hello Cisco people

We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used.

I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect).

For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered?

Thank you

Thanks

Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+

Technical Mercenary

Valor Telecom.com

mmellet · ‎06-14-2002

You will have some definite hurdles to surmount with http based programs as there are few if any known solutions out there for this. Blocking known ports for software such as ICQ poses no larger problem than shutting down telnet or something similar.

areese · ‎08-05-2002

Try Packetshaper or NetEnforcer. They are bandwidth managing tools that identify various applications and then you may apply a variety of policies. For instance, you may limit the bandwidth per session, per application or block the application all together. It is neat and fairly inexpensive. Not that difficult to use and great customer support.

kyawzawhtut · ‎12-17-2007

You can use IPS to filter those http based chat programs. Too bad that you are still using pix firewall.

If you are using ASA, you can buy AIP-SSM module which has IPS/IDS function.

HTH.

Regards

Joe