I'm glad the checkpoint can do this in 10 seconds. I can do it on the PIX/ASA in 9 :-) Can you please let me know what version of sw your PIX is running? The solution depends on the version.

Bryan

hi,

I am running version 7.2(2).

Ok, here we go. This is going to be done using ASDM.

Step 1: Launch ASDM

Step 2: Click on the Configuration button at the top of the page

Step 3: Click on the Security Policy button on the left.

Step 4: Click on the Service Policy Rules Tab

Step 5: If you don't have a Service Policy already, create one by clicking on the green plus sign next to the word Add. If you do already have a Service Policy, select the class (it should now be highlighted in blue), then click the green plus sign next to the work Add.

Step 6: Choose the Second Radio button - Global - applies to all interfaces, then click next

Step 7: Leave Create a new traffic class selected and put a check mark next to Default Inspection Traffic under Traffic match criteria and click next

Step 8: Select http and click next

Step 9: Select HTTP and click the configure button directly to the right of HTTP

Step 10: Select the 'Select a HTTP inspect map for fine control over inspection' radio button, then click on the Add button that is now activated

Step 11: On this screen, Give this new class a name. Then click the URI Filtering... button on the bottom right of the page

Step 12: click on Add

Step 13: In the drop down menu for regular Expression, select _default_aim-messenger

Step 14: Click ok

Step 15: Click ok

Step 16: Click ok

Step 17: Click ok

Step 18: Click finish

Step 19: Click Apply

This will set up your ASA to look for and block AIM. I know this might seem like a lot of steps, but like every GUI, once you get used to it, it really takes no time at all.

Bryan

Bryan,

1) does it apply to both Pix and ASA or only ASA?

2) did you test it and you are able to block

AOL Instant Messenging from traversing port

23?

It seems to me that your instructions have to

do with blocking AOL IM via http port and not port 23.

Regards,

David

Bryan,

I tried what you suggested and I still can use

AOL IM over port 23. The solution you provided

is for using AOL IM over http (aka port 80).

I am trying to block it over port 23.

anymore ideas?

1) This works on any platform running 7.2(2)

2) Have not tested with AIM on port 23 (forgot you mentioned that). To make sure that this catches AIM on all ports, please check match any instead of match default inspection traffic in step 7 of my instructions.

This should scan all prots for AIM.

Bryan

Bryan,

The problem with this configuration is that

not only it drops my AOL IM over port 23 but it

also drops legitimate telnet application over

port 23. Worse, it also drops my ssh as well.

Any more ideas?

David

Wow, that was unexpected. Obviously, thats not how this regex is supposed to work. I find it strange that it would drop ssh. SSH is encrypted, so you can't read anything to block it anyways. Thats why attacks using ssh are almost impossible to stop. Does your config look like this:

class-map global-class

match any

!

!

policy-map type inspect http AIM

parameters

protocol-violation action drop-connection

match request uri regex _default_aim-messenger

drop-connection log

policy-map global-policy

class global-class

inspect http AIM

!

service-policy global-policy global

If you have a similair set-up and are still unable to block AIM, then I'm out of ideas. I really don't understand how telnet and ssh would be clocked by the ASA because of this regex, though. Do the blocks show up in your log as being blocked by your service-policy?

Bryan

I just started playing around with these settings myself and I must say, pretty impressive. They are a little less intuitive than they could be.

try the following..it worked for me:

1) Create a new HTTP inspect map.

click on 'inspect maps' then 'http'. Enter a name and description. click 'customize' and uncheck 'check for protocol violations'. click 'ok'. click 'URL filtering' then 'add' and select the provided _default_aim-messenger regex and click 'ok'. click 'ok' again. click 'add'. click 'apply'.

2) enable the new HTTP inspection on tcp port 23.

click on 'security policy'->'add'. click 'Next'. check 'tcp or udp destination port' and click next. select 'telnet' as the service and click next. check 'http' and click 'configure'. select the HTTP inspect map you just created from the list and click 'ok'. click 'finish'.

class-map global-class

match port tcp eq telnet

!

!

policy-map type inspect http test

parameters

match request uri regex _default_aim-messenger

drop-connection log

policy-map global-policy

class global-class

inspect http test

!

service-policy global-policy global

It didn't work for me. I can still use AOL IM on telnet port. Can you post your config? I am running version 7.2(2). Thanks.

David

I tested that specific regex using a browser, not the actual AOL IM client, and it worked. The "_default_aim-messenger" regex does a case insensitive search for "http.proxy.icq.com". Do you know if that is correct? I would recommend getting a trace of the client and looking for that specific string in the URL.

I fired up an apache server on tcp port 23. When I connected with just http://www.server.com:23, the default page came up. When I connected with

http://www.server.com:23/http.proxy.icq.com I got a "page cannot be displayed" error. The request timed out and wasn't reset. It would be better if the Pix sent a reset, which is an option when configuring the inspection. I know it worked though because here is the log entry:

5 Feb 07 2007 09:05:49 415006 HTTP - matched request uri regex _default_aim-messenger in policy-map aim-messenger, URI matched - Dropping connection from inside:/15058 to outside:/23

I would guess that the default regex is not correct, or at least not when used as a URL filter(i.e. regex matches somewhere else in HTTP request). Get that trace and find out if/where http.proxy.icq.com shows up.

FWIW, I just fired up AOL 6.0 --you owe me big for installing this crap;-)

Nowhere during the login process did I see "http.proxy.icq.com". I suspect that regex is no longer correct. Is this person using an external http proxy running on port 23 or what?

In any event, AIM V6 appears to use HTTPS for authentication. You probably will have to use an ACL or proxy-based URL filtering to block that. Another alternative is to block the DNS lookups that occur. This probably won't work if the user is using an http proxy and not doing direct DNS lookups (get a trace!). I created a custom DNS inspection map that blocks the domain name kdc.uas.aol.com. The standard AIM V6 client no longer works.

4 Feb 07 2007 10:28:34 410003 DNS Classification: Dropped DNS request (id 36921) from inside:/1045 to outside:/53; matched Class 22: match domain-name regex aim_v6

1) i am using AOL IM version 6.0.

I am NOT using any external http proxy, just

straight forward port 23.

Are you sure about it uses https for authentication because when I run tcpdump on

my checkpoint firewall, I did NOT see any https,

I only see port 23 and DNS udp port 53.

What you suggested will work but I do not want

to do that. It seems to me that Pix firewall

does not do "deep inspection" the way

checkpoint firewall does. As I've stated

earlier, I can do this with Checkpoint in 10

seconds. I don't want to deal with blocking

DNS because "smart" users know how to bypass

this security and hard-code the IP address

into AOL client (a few registries changes

is all it takes).

Thanks again for taking the time to go through

this exercise with me.

David

CCIE Security