Is it possible to apply a security policy based on domain names as apposed to IP address/ranges on an ASA5505/ASA5510. I have been told this is impossible, but just incase anyone has found anything new?

Answered Question
Jul 21st, 2011

We have a requirement for a WSUS server to receive updates which sits behind a ASA5505/ and in some cases ASA5510.  I understand to enable this to happen the WSUS server needs to communicate with many DNS names and therefore there are many potential IP addresses/ranges that the ASA needs to apply the appropriate security policy too. An example of just a few of the DNS names we need to apply a security policy to are http://windowsupdate.microsoft.com, http://*.windowsupdate.microsoft.com, https://*.windowsupdate.microsoft.com etc etc...
Is it possible to apply a security policy based on domain names as apposed to IP address/ranges on an ASA5505/ASA5510. I have been told this is impossible, but just incase anyone has found anything new.

The reason why I " don't you just exclude the WSUS server from the policy?", is because the question is not just about WSUS the reason i ask Is it possible to apply a security policy based on domain names as apposed to IP address/ranges on an ASA5505/ASA5510, is so that i can close every thing off on my network, and still have access to WSUS, NIST Time Service, Google Earth, & Symantec Live Update, and a few other sites, services with out opening up my network and machiens to everyone, and every thing. I would like to shut down all internet access, in and out, but to these services, sites, etc. While at the same time keeping up all of my site to site ipsec vpn tunnels I have to my remote offices.
Thanks Jason

BTW: Anyone interested in Starting up / Co Founding a Los Banos, CA Cisco FAN Club?

Thanks

Jason Browne

I have this problem too.
0 votes
Correct Answer by Jay Johnston about 2 years 8 months ago

Jason,

This is possible but with some caveats. Check a doc on this here:

https://supportforums.cisco.com/docs/DOC-17014

- Jay

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
jasonadambrowne Thu, 08/04/2011 - 09:57

Thanks Jay is your solution preferable to the following method provide by Chris C?

Please see the link below.  It describes how to filter out certain websites but if you use No Match when creating the HTTP Class Maps you get the opposite effect, all websites are filtered except the ones you list.  You should be able to look at your production ASA if you need to see how it’s setup.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

To undo filtering and set everything open temporarly just

go to Configuration -> Firewall -> Service Policy Rules,  just uncheck the Enabled boxes for the httptraffic rule.  That will open it wide again. 

Also, this is just filtering ports 80 and 8080, so any other ports are still open.

Your method, and this one are the only two I hvae been able to get? I need to start imppamenting a solution soon. I am hoping to block out all traffic but that allowed through. This second solution only filters via ports 80 and 8080 it does not look at other ports.

thanks

Jason

Message was edited by: jason browne

Jay Johnston Thu, 08/04/2011 - 10:06

Jason,

     The two approaches really do different things. If your goal is to control what URLs and servers certain users can access, then a more robust solution using an external URL server might be a better solution:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_filter.html#wp1045692

That being said, if you're only looking to control access for a specific host, then configuring HTTP application inspection on the ASA and applying it just to traffic sourced from that server should work ok. You can limit the specific URLs that the client can send traffic to.

More examples can be found here:

https://supportforums.cisco.com/docs/DOC-1268

jasonadambrowne Thu, 08/11/2011 - 13:01

i was just checking to see if you had any more suggestions, after examining the other suggestions, that people have gave me, and I have posted?

jasonadambrowne Mon, 08/15/2011 - 11:54

Jay Johnston

I have included the answers and communication i have received from linked in. Do you have any further suggestions or answers on how i can secure my new work allowing only my workstations and servers acces to outside recources such as nist etc based on domain names as apposed to ip address/ranges.

thanks

Jason

jasonadambrowne Mon, 08/08/2011 - 09:49

Many people keep asking me why I do not just " Why don't you just exclude the WSUS server from the policy?", the question is not just about WSUS  the reason i ask Is it possible to apply a security policy based on domain names as apposed to IP address/ranges on an ASA5505/ASA5510, is so that i can close every thing off on my network, nad still have access to WSUS, NIST Time Service, Google Docs, Google Earth, & Symantec Live Update with out opening my machiens up to every, and every thing. I would like to shut down all internet access but to these services, sites, etc.

thanks

Jason

jasonadambrowne Mon, 08/08/2011 - 13:41

I'm not a Cisco ASA expert but.. I'm thinking you could either
a) allow all outbound traffic over a certain port (443) so that such communication can be started (the WSUS should be starting the SSL channel outbound anyway with windows update) OR
b) allow all traffic on port 443 to the WSUS Server IP?

This just might be simpler.

Another way as Randy suggested is to move the WSUS out of policy or into a DMZ, allowing it to communicate more freely while maintaining protection within your network.

If you need more help, let me know.

Messages from Chirag Desai (1):

jasonadambrowne Tue, 08/09/2011 - 10:29

The reason why I " don't you just exclude the WSUS server from the policy?", is because the question is not just about WSUS the reason i ask Is it possible to apply a security policy based on domain names as apposed to IP address/ranges on an ASA5505/ASA5510, is so that i can close every thing off on my network, and still have access to WSUS, NIST Time Service, Google Earth, & Symantec Live Update, and a few other sites, services with out opening up my network and machiens to everyone, and every thing. I would like to shut down all internet access, in and out, but to these services, sites, etc. While at the same time keeping up all of my site to site ipsec vpn tunnels I have to my remote offices.
Thanks Jason

jasonadambrowne Tue, 08/09/2011 - 10:31

Hi Jason,

I don't think you understand how NAT and TCP/UDP/ICMP work. Nothing (NOTHING!) can open an inbound connection to a server without an active NAT policy, regardless of whether or not a security policy exist.

I've been configuring routers and firewall for 25 years, CISSP certified, and other stuff I won't bore you with. Users shouldn't be on you servers, so it doesn't matter what policies apply to them.

Perhaps I don't understand your enviroment - but if all the other security is right, you are spending energy on nothing.

Randy

Actions

Login or Register to take actions

This Discussion

Posted July 21, 2011 at 10:40 AM
Stats:
Replies:9 Avg. Rating:5
Views:1651 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446