Inspecting HTTP traffic to block MSN Messenger

Unanswered Question
Aug 8th, 2008

Hello Guys,

I'm trying to block IM (MSN) traffic on a Cisco ASA5520 with Software Version 7.2(4)

The configuration which is provived in the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

Its perfect to block IM traffic, the issue is that i could see that the MSN after been blocked, encapsulates himself in HTTP traffic using port 80 and therefore is able to establish the connection.

I guess i have to inspect HTTP traffic for something and discard that "something", i would like to have a litle help on how to acomplish this and if you guys think that making a rules to open every HTTP packet to see if there's an connection attemptive to MSN gets connected, isn't going to overload the ASA Hardware?

Thanks for everything

Nuno

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Fri, 08/08/2008 - 06:03

One option would be to block NON-RFC traffic using the protocol-violation command, but this could block a lot of legitimate websites using non-standard code.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1867542

You could also use an IPS. You could also DNS black hole the MSN chat addresses and restrict users access to the local hosts file (very important if you use this technique).

However they could still use e-buddy :). So an IPS/Filtering web-proxy is always better.

Regards

Farrukh

nuno-pinto Fri, 08/08/2008 - 06:26

Hello,

Yes, using an IPS/Filtering solution would be the ideal with the exception for the money :=)

So i need to cook with the ingredients that i have :-(

In Attach i'm sending a simple capture of one packet only where you can see the MSN encapsulate.

I was thinking about making a policy to inspect HTTP and then appy a rule where using a REGEX matching MSN -> connections drop.

Do you guys think this is possible to be accomplished?

Attachment: 
nuno-pinto Fri, 08/08/2008 - 06:56

Do you think that this will have a huge impact on the machine processing ?

Farrukh Haroon Fri, 08/08/2008 - 07:08

This would depend on which model you have and the amount of such traffic. If this becomes too much of a performance issue, just use 'DNS' to block MSN (as mentioned in my previous posts).

Regards

Farrukh

Actions

This Discussion