cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
530
Views
0
Helpful
7
Replies

Inspecting HTTP traffic to block MSN Messenger

nuno-pinto
Level 1
Level 1

Hello Guys,

I'm trying to block IM (MSN) traffic on a Cisco ASA5520 with Software Version 7.2(4)

The configuration which is provived in the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

Its perfect to block IM traffic, the issue is that i could see that the MSN after been blocked, encapsulates himself in HTTP traffic using port 80 and therefore is able to establish the connection.

I guess i have to inspect HTTP traffic for something and discard that "something", i would like to have a litle help on how to acomplish this and if you guys think that making a rules to open every HTTP packet to see if there's an connection attemptive to MSN gets connected, isn't going to overload the ASA Hardware?

Thanks for everything

Nuno

7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

One option would be to block NON-RFC traffic using the protocol-violation command, but this could block a lot of legitimate websites using non-standard code.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1867542

You could also use an IPS. You could also DNS black hole the MSN chat addresses and restrict users access to the local hosts file (very important if you use this technique).

However they could still use e-buddy :). So an IPS/Filtering web-proxy is always better.

Regards

Farrukh

Hello,

Yes, using an IPS/Filtering solution would be the ideal with the exception for the money :=)

So i need to cook with the ingredients that i have :-(

In Attach i'm sending a simple capture of one packet only where you can see the MSN encapsulate.

I was thinking about making a policy to inspect HTTP and then appy a rule where using a REGEX matching MSN -> connections drop.

Do you guys think this is possible to be accomplished?

I would rather block using the 'host' portion of the packet, have a look at this link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Something along the lines of:

match request header host regex ...

Regards

Farrukh

Do you think that this will have a huge impact on the machine processing ?

This would depend on which model you have and the amount of such traffic. If this becomes too much of a performance issue, just use 'DNS' to block MSN (as mentioned in my previous posts).

Regards

Farrukh

I tested this blocking MSN - and saw the encapsulation of http then it was working again. So I also configured to URL Domain list block on the specific URL domains that MSN uses...

hotmail.com

live.com

mail.com

live.mail.com

Works a treat

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: