Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Inspecting HTTP traffic to block MSN Messenger

Hello Guys,

I'm trying to block IM (MSN) traffic on a Cisco ASA5520 with Software Version 7.2(4)

The configuration which is provived in the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

Its perfect to block IM traffic, the issue is that i could see that the MSN after been blocked, encapsulates himself in HTTP traffic using port 80 and therefore is able to establish the connection.

I guess i have to inspect HTTP traffic for something and discard that "something", i would like to have a litle help on how to acomplish this and if you guys think that making a rules to open every HTTP packet to see if there's an connection attemptive to MSN gets connected, isn't going to overload the ASA Hardware?

Thanks for everything

Nuno

7 REPLIES

Re: Inspecting HTTP traffic to block MSN Messenger

One option would be to block NON-RFC traffic using the protocol-violation command, but this could block a lot of legitimate websites using non-standard code.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1867542

You could also use an IPS. You could also DNS black hole the MSN chat addresses and restrict users access to the local hosts file (very important if you use this technique).

However they could still use e-buddy :). So an IPS/Filtering web-proxy is always better.

Regards

Farrukh

New Member

Re: Inspecting HTTP traffic to block MSN Messenger

Hello,

Yes, using an IPS/Filtering solution would be the ideal with the exception for the money :=)

So i need to cook with the ingredients that i have :-(

In Attach i'm sending a simple capture of one packet only where you can see the MSN encapsulate.

I was thinking about making a policy to inspect HTTP and then appy a rule where using a REGEX matching MSN -> connections drop.

Do you guys think this is possible to be accomplished?

Re: Inspecting HTTP traffic to block MSN Messenger

I would rather block using the 'host' portion of the packet, have a look at this link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Something along the lines of:

match request header host regex ...

Regards

Farrukh

New Member

Re: Inspecting HTTP traffic to block MSN Messenger

Do you think that this will have a huge impact on the machine processing ?

Re: Inspecting HTTP traffic to block MSN Messenger

This would depend on which model you have and the amount of such traffic. If this becomes too much of a performance issue, just use 'DNS' to block MSN (as mentioned in my previous posts).

Regards

Farrukh

Re: Inspecting HTTP traffic to block MSN Messenger

I tested this blocking MSN - and saw the encapsulation of http then it was working again. So I also configured to URL Domain list block on the specific URL domains that MSN uses...

hotmail.com

live.com

mail.com

live.mail.com

Works a treat

HTH>

149
Views
0
Helpful
7
Replies
CreatePlease login to create content