Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
7
Helpful
6
Replies

Block Yahoo and MSN File Transfers

EPHRAIM MANI
Level 3
Level 3

‎10-21-2005 02:24 PM - edited ‎03-09-2019 12:47 PM

Dear All,

Just help me to block the yahoo and MSN file transfer, through my cisco Router or PIX.

EM

Labels:
0 Helpful
6 Replies 6

bobd
Level 1
Level 1

‎10-21-2005 07:49 PM

IM applications today use a wide range of ports and adaptthenselves to use port 80 or other normally open ports to ensure connectivity. In addition to this flexibility, the ports used will vary depending on the IM application version. One more thing to consider - if you block the use of IM applications but still leave port 80 open for web access, your users will most like make use of web-based versions of the messenger which run like any other web page.

That said - Your PIX firewall can block IM file attachments over most popular IM applications when used in conjunction with Websense and the IM Attachment Manager. This solution would also provide web content filtering and reporting for your network.

Bob

0 Helpful

flopez
Level 1
Level 1

‎10-28-2005 09:36 AM

You can try using the URL-Filter command on the PIX, but it will only work with a server like Websense or N2H2. This is the only way that you can block these websites using the URL-Filter command.

And true, there are so many ports using in IM applications.

0 Helpful

fzamora
Cisco Employee
Cisco Employee

‎10-28-2005 01:10 PM

What code are you running on the PIX?

For example with the PIX new code (7.0) you can successfully use the Advance HTTP inspection engines to block a variety of ports, below is an example:

Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset log

pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse im action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

* pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy

pix(config)# service-policy inbound_policy interface outside

*Attach the policy-map for http inspection to an interface (an existing policy map could

also be used).

This ends up in the config as:

--------------------------------------------------------------------------

class-map http-port

match port tcp eq 80

class-map http-port8080

match port tcp eq 8080

http-map inbound_http

content-length min 100 max 2000 action reset log

content-type-verification match-req-rsp action reset log

max-header-length request 100 action reset log

max-uri-length 100 action reset log

port-misuse p2p action drop

port-misuse im action drop

port-misuse default action allow

policy-map inbound_policy

class http-port

inspect http inbound_http

class http-port8080

inspect http inbound_http

service-policy inbound_policy interface outside

--------------------------------------------------------------------------

If you notice, you can add more ports via class-maps which tie to the inbound_policy I

created to tie to the interface. You can set the port-misuse default action to allow which we did above so you should be able to inspect other ports that are being used without blocking anything that you're currently doing as long as the P2P/IM headers aren't found in the packets.

Essentially this will cause the pix to block the IM/P2P applications while still allowing

normal traffic over port 80/8080.

Regards,

Franco Zamora

bobd
Level 1
Level 1
In response to fzamora

‎10-29-2005 12:39 PM

Great info Franco. Is there a way to implement this to drop just IM attachments without blocking all IM services?

Bob

0 Helpful

fzamora
Cisco Employee
Cisco Employee
In response to bobd

‎11-04-2005 06:09 AM

I will need to check it out, I'll let you know

Franco

0 Helpful

JasonPia
Level 1
Level 1
In response to fzamora

‎12-13-2005 04:12 PM

It would be nice if it worked but it never has - see bug CSCsb41742

Customers Also Viewed These Support Documents