dmam123 |
attempting to block IM by URL will ont be successful for newer IM products, as they have survuvable routing features built in. True, they first hit specific ports, but failing to connect thruogh those, they then route out through other means, including port 80, which you really do not want to block.
Since you are using GP alsready, why not cerate a GP to restrict the installation in the first place? If you do nto wish to do that, then a gateway such asIM Logic is your best choice.
Obsidian |
Not sure about IWSS - but we have our pix doing url filtering for all traffic (can be done via secure computing, websense, and a few others).
url-server (dmz) vendor abc host a.b.c.d port 4005 timeout 10 protocol TCP
You can also force all non-domain users to auto-configure the proxy config in their browsers by virtue of wpad:
<a href="http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/automaticdiscovery.mspx" rel="nofollow">http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/automaticdiscovery.mspx</a> - basically you create a wpad entry in your DNS space, and host the wpad config file on a www server.
Lastly, we redirect all port 80 traffic on our cisco routers and redirect it via wccp. If IWSS supports WCCP then you have it made for http (NOT https) traffic:
ip wccp web-cache redirect-list acl# - where the router can wccp redirect all port 80 traffic for review/filtering.
As far as blocking IM - we do a bunch of things. One - block the known outbound ports (which you’ve already done). Two - block the *entire* range of IP numbers for those IMservers. Three - dns hijack (place fake domains in your local DNS server for msn.com, yahoo.com and others, taking care to provide an alternative DNS for your mail server).
enjoy!
-april
EngineerIT |
Hi again,
GP works for those users who are loggin on to the domain. There are some users that are in the workgroup and they do not get Group polices; hence It is not possible to set there Proxy server address.
can you tell me more about IM Logic gateway???
Yeah I know that websense works nice with PIX, but at the moment company is not going to purchase licenses for websense.
wpad requies ISA which I do not have.
Is it possible to use wpad without ISA? if yes HOW?
What are the IP number range for IM servers?
how to configure fake domains in local DNS server for msn.com or yahoo.com(how to make work dns hijacking)
How it is possible to allow the www (port 80) traffic just from IWSS proxy server? By doing so no other http traffic will be allowed to go out of gateway and all the users will be forced (non GP) to use IWSS proxy. when they will be using IWSS proxy, we can apply all the restrictions?
What do you think about this idea?
I feel this problem needs try and error to be solved.
sonyfreek |
The answer is easier than you think. Set up the pix to block everything going out except if it comes from the proxy server or any server you need to talk directly. Then, they have no choice but to use your proxy server, and hence, get to your allowed URLs. Go ahead and block DNS, Web, HTTPS, those troublesome IM’s, etc until your heart’s content. No one on the inside needs to talk directly outside with the proxy server. Allow only the DNS server(s) to talk to the specific caching DNS server of your ISP, or whomever you use as a forwarder. Allow the proxy to be the only host capable of talking HTTP/HTTPS to the outside. Depending on your needs, make the users go through the proxy for FTP requests or newsgroups, etc.
Hope this helps and opens some eyes. Remember, let the proxy and the servers do their work. There’s no reason for anyone to talk directly to the Internet unless you specifically allow vendors to use your network for presentations. And, if you let them use it, put them on the outside of your firewall or trusted network. Otherwise, you’ll have no control of who’s hacking you from the conference room…
SF
sonyfreek |
The answer is easier than you think. Set up the pix to block everything going out except if it comes from the proxy server or any server you need to talk directly. Then, they have no choice but to use your proxy server, and hence, get to your allowed URLs. Go ahead and block DNS, Web, HTTPS, those troublesome IM’s, etc until your heart’s content. No one on the inside needs to talk directly outside with the proxy server. Allow only the DNS server(s) to talk to the specific caching DNS server of your ISP, or whomever you use as a forwarder. Allow the proxy to be the only host capable of talking HTTP/HTTPS to the outside. Depending on your needs, make the users go through the proxy for FTP requests or newsgroups, etc.
Hope this helps and opens some eyes. Remember, let the proxy and the servers do their work. There’s no reason for anyone to talk directly to the Internet unless you specifically allow vendors to use your network for presentations. And, if you let them use it, put them on the outside of your firewall or trusted network. Otherwise, you’ll have no control of who’s hacking you from the conference room…
SF
Yahoo, Networking, Cisco, Availability, Benchmarking, Network monitoring, Network testing, Protocol analysis, TCP, Routers, Security, Application security, Exchange, Instant Messaging, Encryption, Database, secure coding, Identity & Access Management, Digital certificates, Single Signon, provisioning, Security tokens, Biometrics, Network security, Firewalls, VPN, Intrusion management, Incident response, Forensics, Wireless, Administration, Architecture/Design, Documentation, Features/Functionality, Installation, Service and support, Microsoft Windows, IDS/IPS management, Host-based IDS/IPS, Internet Security Systems, Managed security services, Service contracts, Service evaluation, Vulnerability Assessment & Audit, DataCenter
We have Pix515E which is gateway to Internet.
0
