blocking AOL instant messenger with Cisco Pix 7.x

Unanswered Question
Feb 3rd, 2007

hi all,

I need to do the following:

nat (inside) 1 0 0

global (outside) 1 interface

access-list External permit icmp any any echo-reply

access-list External deny ip any any log

access-list Internal permit tcp any any eq 23

access-list Internal permit tcp any any eq 80

access-list Internal permit udp any any eq 53

access-group External in interface outside

access-group Internal in interface inside

Problem is that user on the inside use AOL instant messgenging via port 23 and

I would like to block them from using

AOL IM on port 23 but I also would like

to allow legitimate telnet to go through.

I do NOT want to block AOL destination IM

Server in the ACL. I want to be the Pix to be smart enough to be able to accomplish via application inspection.

I can do this rather easily with Checkpoint SmartDefense which is builtin

with Checkpoint firewall. I am migrating

over to Cisco Pix and I would like to do

the same thing.

Any ideas on how to do this? Thanks.

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (5 ratings)
Loading.
daviddtran Sat, 01/27/2007 - 23:56

I want EVERYONE from the Internal to be able to

telnet out to anywhere on the Internet with

regular telnet application. I do NOT want them

to masquerade port 23 with AOL IM application.

With Checkpoint SmartDefense, I can accomplish

this task in less than 10 seconds. I just

don't know how to do this with Cisco.

David

bthibode Sun, 02/04/2007 - 08:11

I'm glad the checkpoint can do this in 10 seconds. I can do it on the PIX/ASA in 9 :-) Can you please let me know what version of sw your PIX is running? The solution depends on the version.

Bryan

bthibode Mon, 02/05/2007 - 07:51

Ok, here we go. This is going to be done using ASDM.

Step 1: Launch ASDM

Step 2: Click on the Configuration button at the top of the page

Step 3: Click on the Security Policy button on the left.

Step 4: Click on the Service Policy Rules Tab

Step 5: If you don't have a Service Policy already, create one by clicking on the green plus sign next to the word Add. If you do already have a Service Policy, select the class (it should now be highlighted in blue), then click the green plus sign next to the work Add.

Step 6: Choose the Second Radio button - Global - applies to all interfaces, then click next

Step 7: Leave Create a new traffic class selected and put a check mark next to Default Inspection Traffic under Traffic match criteria and click next

Step 8: Select http and click next

Step 9: Select HTTP and click the configure button directly to the right of HTTP

Step 10: Select the 'Select a HTTP inspect map for fine control over inspection' radio button, then click on the Add button that is now activated

Step 11: On this screen, Give this new class a name. Then click the URI Filtering... button on the bottom right of the page

Step 12: click on Add

Step 13: In the drop down menu for regular Expression, select _default_aim-messenger

Step 14: Click ok

Step 15: Click ok

Step 16: Click ok

Step 17: Click ok

Step 18: Click finish

Step 19: Click Apply

This will set up your ASA to look for and block AIM. I know this might seem like a lot of steps, but like every GUI, once you get used to it, it really takes no time at all.

Bryan

daviddtran Mon, 02/05/2007 - 08:36

Bryan,

1) does it apply to both Pix and ASA or only ASA?

2) did you test it and you are able to block

AOL Instant Messenging from traversing port

23?

It seems to me that your instructions have to

do with blocking AOL IM via http port and not port 23.

Regards,

David

daviddtran Mon, 02/05/2007 - 09:11

Bryan,

I tried what you suggested and I still can use

AOL IM over port 23. The solution you provided

is for using AOL IM over http (aka port 80).

I am trying to block it over port 23.

anymore ideas?

bthibode Mon, 02/05/2007 - 09:12

1) This works on any platform running 7.2(2)

2) Have not tested with AIM on port 23 (forgot you mentioned that). To make sure that this catches AIM on all ports, please check match any instead of match default inspection traffic in step 7 of my instructions.

This should scan all prots for AIM.

Bryan

daviddtran Mon, 02/05/2007 - 11:58

Bryan,

The problem with this configuration is that

not only it drops my AOL IM over port 23 but it

also drops legitimate telnet application over

port 23. Worse, it also drops my ssh as well.

Any more ideas?

David

bthibode Mon, 02/05/2007 - 12:09

Wow, that was unexpected. Obviously, thats not how this regex is supposed to work. I find it strange that it would drop ssh. SSH is encrypted, so you can't read anything to block it anyways. Thats why attacks using ssh are almost impossible to stop. Does your config look like this:

class-map global-class

match any

!

!

policy-map type inspect http AIM

parameters

protocol-violation action drop-connection

match request uri regex _default_aim-messenger

drop-connection log

policy-map global-policy

class global-class

inspect http AIM

!

service-policy global-policy global

If you have a similair set-up and are still unable to block AIM, then I'm out of ideas. I really don't understand how telnet and ssh would be clocked by the ASA because of this regex, though. Do the blocks show up in your log as being blocked by your service-policy?

Bryan

mhellman Tue, 02/06/2007 - 11:51

I just started playing around with these settings myself and I must say, pretty impressive. They are a little less intuitive than they could be.

try the following..it worked for me:

1) Create a new HTTP inspect map.

click on 'inspect maps' then 'http'. Enter a name and description. click 'customize' and uncheck 'check for protocol violations'. click 'ok'. click 'URL filtering' then 'add' and select the provided _default_aim-messenger regex and click 'ok'. click 'ok' again. click 'add'. click 'apply'.

2) enable the new HTTP inspection on tcp port 23.

click on 'security policy'->'add'. click 'Next'. check 'tcp or udp destination port' and click next. select 'telnet' as the service and click next. check 'http' and click 'configure'. select the HTTP inspect map you just created from the list and click 'ok'. click 'finish'.

daviddtran Tue, 02/06/2007 - 18:33

class-map global-class

match port tcp eq telnet

!

!

policy-map type inspect http test

parameters

match request uri regex _default_aim-messenger

drop-connection log

policy-map global-policy

class global-class

inspect http test

!

service-policy global-policy global

It didn't work for me. I can still use AOL IM on telnet port. Can you post your config? I am running version 7.2(2). Thanks.

David

mhellman Wed, 02/07/2007 - 07:12

I tested that specific regex using a browser, not the actual AOL IM client, and it worked. The "_default_aim-messenger" regex does a case insensitive search for "http.proxy.icq.com". Do you know if that is correct? I would recommend getting a trace of the client and looking for that specific string in the URL.

I fired up an apache server on tcp port 23. When I connected with just http://www.server.com:23, the default page came up. When I connected with

http://www.server.com:23/http.proxy.icq.com I got a "page cannot be displayed" error. The request timed out and wasn't reset. It would be better if the Pix sent a reset, which is an option when configuring the inspection. I know it worked though because here is the log entry:

5 Feb 07 2007 09:05:49 415006 HTTP - matched request uri regex _default_aim-messenger in policy-map aim-messenger, URI matched - Dropping connection from inside:/15058 to outside:/23

I would guess that the default regex is not correct, or at least not when used as a URL filter(i.e. regex matches somewhere else in HTTP request). Get that trace and find out if/where http.proxy.icq.com shows up.

mhellman Wed, 02/07/2007 - 08:31

FWIW, I just fired up AOL 6.0 --you owe me big for installing this crap;-)

Nowhere during the login process did I see "http.proxy.icq.com". I suspect that regex is no longer correct. Is this person using an external http proxy running on port 23 or what?

In any event, AIM V6 appears to use HTTPS for authentication. You probably will have to use an ACL or proxy-based URL filtering to block that. Another alternative is to block the DNS lookups that occur. This probably won't work if the user is using an http proxy and not doing direct DNS lookups (get a trace!). I created a custom DNS inspection map that blocks the domain name kdc.uas.aol.com. The standard AIM V6 client no longer works.

4 Feb 07 2007 10:28:34 410003 DNS Classification: Dropped DNS request (id 36921) from inside:/1045 to outside:/53; matched Class 22: match domain-name regex aim_v6

daviddtran Wed, 02/07/2007 - 09:35

1) i am using AOL IM version 6.0.

I am NOT using any external http proxy, just

straight forward port 23.

Are you sure about it uses https for authentication because when I run tcpdump on

my checkpoint firewall, I did NOT see any https,

I only see port 23 and DNS udp port 53.

What you suggested will work but I do not want

to do that. It seems to me that Pix firewall

does not do "deep inspection" the way

checkpoint firewall does. As I've stated

earlier, I can do this with Checkpoint in 10

seconds. I don't want to deal with blocking

DNS because "smart" users know how to bypass

this security and hard-code the IP address

into AOL client (a few registries changes

is all it takes).

Thanks again for taking the time to go through

this exercise with me.

David

CCIE Security

mhellman Wed, 02/07/2007 - 10:53

I'm confused I guess, but then I'm not an AIM user. AIM is not peer to peer is it? The client actually connects to something on port 23...what is it connecting to? Surely the AOL servers don't support connections on every port? If it's not the AOL server, then doesn't it have to be either a proxy or a device the forwards connections to the AOL servers on the supported ports? I suppose I'm just naive with it comes to this client.

In any event, it does not matter. The pix DOES definitely support deep packet inspection for specific protocols, including HTTP. If you know the regex you want to block, then create it and the commands I suggested earlier will work. You just can't use the default regex supplied by Cisco.

daviddtran Wed, 02/07/2007 - 12:39

You're wrong. I can get the AOL client to

connect on port 23, 80, 443, 25, etc... therefore, the AOL servers can accept just about

every ports. BTW, the client is actually

connecting on port 23

Pix may do deep packet inspection for http but

not for every other protocols as evidence in

my test with port 23.

Do you know the regex for telnet port 23 to

block AOL IM?

David

mhellman Wed, 02/07/2007 - 13:49

Are you using the pro client perhaps? I tried it and indeed it allows changing the port and configuring a proxy. I got a trace and this does not look like HTTP though. I think we're finally on the same page....you're SOL. Does it look like HTTP in your trace? I don't think the Pix can generically inspect tcp sessions using regex matching.

daviddtran Wed, 02/07/2007 - 14:13

here is the tcpdump on the External interface

of the Checkpoint firewall. As you can see,

it connects via port 23 and dns udp port 53

for resolution. Yes, there are some port 80

but it is because when you connect with AOL,

it opens the browser and send advertisement

over port 80 but the actual communication is

going through port 23.

No I am not using AOL pro client, just

standard free version of AOL. Nothing special. Look at the tcpdump below on the

checkpoint:

dca2-Nokia-1-P[admin]# tcpdump -i eth3 -n not host 224.0.0.18 and host 217.200.1.125

tcpdump: listening on eth3

22:06:34.314049 O 217.200.1.125.10261 > 129.174.1.8.53: 10953+ (37)

22:06:34.319854 I 129.174.1.8.53 > 217.200.1.125.10261: 10953 2/3/3 (219) (DF)

22:06:34.343954 O 217.200.1.125.10557 > 64.12.161.153.23: S 3777049618:3777049618(0) win 65535 (DF)

22:06:34.350832 I 64.12.161.153.23 > 217.200.1.125.10557: S 857085545:857085545(0) ack 3777049619 win 16384 (DF)

22:06:34.351625 O 217.200.1.125.10557 > 64.12.161.153.23: . ack 1 win 65535 (DF)

22:06:34.357983 I 64.12.161.153.23 > 217.200.1.125.10557: P 1:11(10) ack 1 win 16384 (DF)

22:06:34.358671 O 217.200.1.125.10557 > 64.12.161.153.23: P 1:11(10) ack 11 win 65525 (DF)

mhellman Wed, 02/07/2007 - 14:26

It's the payload that matters. If it isn't normal HTTP running on port 23, then I don't think the PIX will be able to do "deep inspection". In the AIM pro client I'm using, when you configure a proxy it uses normal HTTP...when you don't it does not.

daviddtran Wed, 02/07/2007 - 14:42

when I or anyone use AOL, I do not use http

proxy because telnet (port 23) is allowed

outbound. Because of that, users can

configure AOL IM client to use port 23,

masquerading as telnet port, to connect to AOL

Servers. AOL servers will accept just about

any tcp ports. BTW, I don't have proxy in my

lab environment. And why even bother when I

can configure aol im client to traverse via

port 23.

I think this is where the difference between

Checkpoint and Pix. Checkpoint Smartdefense

can detect that the AOL IM client is using

tcp port 23 or any other tcp ports for

connectivities while Cisco Pix can not do that

except when users traverse with http port.

David

ccie security

mhellman Thu, 02/08/2007 - 06:20

On my network, nothing is allowed out from clients unless it's proxied. The point I was trying to make is that HTTP is only used if a proxy is selected. Otherwise, the client appears to use a proprietary protocol called OSCAR (http://en.wikipedia.org/wiki/OSCAR_protocol). Based on what I see in the AIM Pro client, this may be correct.

If AIM used normal HTTP and just a different port (say 23 or 25) then the Pix could do deep packet inspection and could be configured to block access based on things like URL, HTTP headers, POST arguments, etc. The port is irrelevant, what matters is the application protocol. If it does not use HTTP(or one of the other supported inspections in the Pix), I don't think the Pix can do anything other than block based on IP address. Perhaps Checkpoint has an inspection engine for the Oscar protocol?

I would recommend getting a full trace of the client and viewing in Wireshark. Try decoding as HTTP.

cisconoobie Fri, 02/23/2007 - 06:31

The steps Bryan showed are correct but there is a bug with version 7.2 and http inspections. You have to make sure "protocol violations" is set to log only and inspection set to drop connection. If you dont set to "log only", it will drop things like activex and some other things passing through http.

daviddtran Fri, 02/23/2007 - 06:49

sadly, it did not help me because as I've said

before, AOL can masquerading as telnet or smtp

ports so http inspection is useless to me since

AOL App does not have to use http port. Anyway,

I decide to stick with the Checkpoint firewall.

Thanks everyone.

David

daviddtran Fri, 02/23/2007 - 07:12

Hi Bryan,

I do not have a case TAC case # for this.

I did ask this question to one of Cisco

Engineers when he comes our facility to train

our Network Operations folks for FWSM and

Pix 7.x. He told me that he is looking into

it and got back to me but I've not heard from

him since.

Were you able to test this as well?

David

bthibode Fri, 02/23/2007 - 07:17

David,

The default AIM inspection, set up like I recommended, works for just about everyone. My collegues here use my template with success. I've never paid attention to the version number before. It does sound like buggy behaviour now that I think about it. Cisconoobie posted that he opened a TAC case and the engineer told him that this was a bug in 7.2. I was asking if he could furnish me with that TAC case number or bug ID.

Bryan

cisconoobie Fri, 02/23/2007 - 10:49

SR 605442403

Please let me know.

My problem was that after applying this, i could not get to windows update which opens activex to scan your pc.

zulqurnain Sat, 02/03/2007 - 20:34

hello,

like you said that you want to block AOL IM using port 23 at the same time you want to allow legitimate telnet to go through. idea is if you know this legitimate IP's only who should be allowed then you can just edit your ACL

e.g.

access-list internal permit tcp ip host >legitimate IP< any eq 23

this will only allow them to access telnet through port 23 and all other users will be denied access using port 23.

HTH

please rate if helped

regrads

Actions

This Discussion