blocking nachi worm with cisco Pix 7.x

Unanswered Question
Feb 4th, 2007

Hi All,

I would like to block nachi worm on a Cisco

Pix firewall running version 7.2(2) code.

On Cisco IOS, I do this:

access-list 199 permit icmp any any echo

access-list 199 permit icmp any any echo-reply

route-map nachi-worm permit 10

match ip address 199

match length 92 92

set interface Null0

interface f0/0

no ip unreachables

ip route-cache policy

ip policy route-map nachi-worm

This can be very easily with Checkpoint

firewalls 'cause I've done it many times.

I would like to accomplish this Cisco Pix

7.x code. Is it possible? Thanks.

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
sachinraja Sun, 02/04/2007 - 16:34

Hello David,

PIX will not do source based routing.. anyway, the way pix works is different than router !! On a PIX, all packets are blocked by default from outside to inside, which is not a feature on routers... You can put the following access-list on the PIX, to block nachi based traffic going from inside to outside .....

access-list acl_inside deny icmp any any echo

access-list acl_inside deny icmp any any echo-reply

access-list acl_inside deny tcp any any eq 135

access-list acl_inside deny udp any any eq 135

access-list acl_inside deny udp any any eq 69

access-list acl_inside deny tcp any any eq 137

access-list acl_inside deny udp any any eq 137

access-list acl_inside deny tcp any any eq 138

access-list acl_inside deny udp any any eq 138

access-list acl_inside deny tcp any any eq 139

access-list acl_inside deny udp any any eq 139

access-list acl_inside deny tcp any any eq 445

access-list acl_inside deny tcp any any eq 593

access-list acl_inside permit ip any any

access-group acl_inside in interface inside

This is the best thing you can do with a firewall.. if you want more protection, i think you have to have an IPS in place.... Please refer to this security notice:

http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html

Hope this helps.. all the best.. rate replies if found useful..

Raj

daviddtran Sun, 02/04/2007 - 18:03

Hi Raj,

Point very well taken. However, I think you may want to rephrase this:

"This is the best thing you can do with a firewall".

I think what you meant to say is "Cisco Pix/ASA

firewall" because I can accomplish this quite

easily with both Checkpoint and Juniper

Firewalls.

Thanks.

David

sachinraja Sun, 02/04/2007 - 19:37

Hello David,

what i meant was, firewalls give only 70 % security to the network.. if there are some ports opened on the firewall, it generally passes the traffic on those ports, without doing application inspection, the level in which normal IPS does.. with the modern ASA firwalls, you can have IPS modules inbuilt on the firewall (with SSM), which can give you much more better protection !! probably the firewalls u had, had the built in IPS functionality !!! .... anyway, with Cisco, you can do everything that is possible with other firewalls... i dont think there can be anything missed out.. the biggest positive of Cisco ,anyday, is the support or documentation, which is not even 50 % of what other vendors provide....

Hope this helps.. all the best... rate replies if found useful.

Raj

sachinraja Tue, 02/06/2007 - 15:42

Hello David,

Do you need any other assistance with respect to this case?

Raj

daviddtran Wed, 02/07/2007 - 05:29

Hi Raj,

Basically no. I just got confirmed from Cisco TAC that what I am trying to do is not possible

with Cisco Pix. I don't understand why Cisco

doesn't design firewall like other vendors such

as Juniper or Checkpoint. Checkpoint had this

capability since version 4.1, like six years ago.

David

sachinraja Wed, 02/07/2007 - 23:57

Hello David

I think each vendor has his own architecture.. with PIX, there are features which arent available as routers , since they are functionally two different products (like soure routing/route maps etc)... With 7.x version of PIX, you do have QOS , with classmaps, policy maps etc... you can make sure you dont allow junk traffic like nachi across your PIX, by configuring QOS, and shaping... I'm really not sure if this will solve ur issue.. anyway, as I had given above, the following URL will give u a basic protection again nachi's...

http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html

and of course, all firewalls arent same :) there can be pros and cons for any manufacturer !!! anyway, cisco works a lot to put more features as time goes !! probably they will incorporate the features u need in the future releses ...

Hope this helps.. all the best.. rate replies if found useful.

Raj

Actions

This Discussion