I am wondering what are the best methods to stop Kaza and other P2P traffic, with a ASA or PIX v7
probably some access lists to block some known ports, but many applications use dynamic ports or even port 80
should I be able to use the aplication inspection features to stop that ?
can you give some examples of configurations you are using for this ?
I would go with a PIX but it depends on your needs.
Compare both Datasheets for performance and features.
Take a look at this Post:
PIX OS 7.0 is now able to determine if the http traffic on port 80 is really http and not any other hidden application.
I would go with the PIX Firewall, you can use the Application-Aware Inspection Services with the new code
check the configuration example below:
Create a class-map for http inspection
pix(config)# class-map http-port
pix(config-cmap)# match port tcp eq 80
Create an http-map to specify parameters for inspect http
pix(config)# http-map inbound_http
pix(config-http-map)# content-length min 100 max 2000 action reset log
pix(config-http-map)# content-type-verification match-req-rsp action reset log
pix(config-http-map)# max-header-length request 100 action reset log
pix(config-http-map)# max-uri-length 100 action reset log
pix(config-http-map)# port-misuse p2p action drop
pix(config-http-map)# port-misuse im action drop
pix(config-http-map)# port-misuse default action allow
Create a policy-map for http inspection
* pix(config)# policy-map inbound_policy
pix(config-pmap)# class http-port
pix(config-pmap-c)# inspect http inbound_http
If necessary create a service-policy or use the default-inspection policy
pix(config)# service-policy inbound_policy interface outside
This ends up in the config as:
match port tcp eq 80
match port tcp eq 8080
content-length min 100 max 2000 action reset log
content-type-verification match-req-rsp action reset log
max-header-length request 100 action reset log
max-uri-length 100 action reset log
port-misuse p2p action drop
port-misuse im action drop
port-misuse default action allow
inspect http inbound_http
inspect http inbound_http
service-policy inbound_policy interface outside
If you notice, you can add more ports via class-maps which tie to the inbound_policy we
created to tie to the interface. I haven't tested this yet but you can set the
port-misuse default action to allow which we did above so you should be able to inspect
other ports that are being used without blocking anything that you're currently doing as
long as the P2P/IM headers aren't found in the packets.
Essentially this will cause the pix to block the IM/P2P applications while still allowing
normal traffic over port 80/8080.
also here is the link to PIX 7.0 and ASA CLI architecture. This should be a comprehensive
reference in configuring your 7.0 PIX at the CLI level.
You can also use NBAR and access-lists at the router level. This is fairly easy. There is a document on cisco's website about blocking those things.
As far as ASA vs PIX, the ASA runs 7.0 code, so I am not sure why a PIX would be preferred to the the ASA. I may be stirring up a hornets nest, but I get the impression that Cisco will be phasing out the PIX in favor of the ASA over time. I really don't see the reason to continue doing both since they would just be taking market share from each other.
No. This was one of the much trumpeted advances in v7.0 - so you really have to wonder why after all this time (9 months) it STILL doesn't work.
I probably sound a bit tetchy about this but if you sell an expensive product to a customer based on Cisco's spec and then it doesn't work it's not a happy experience to have (not to mention the time wasted trying to get it to work).
You are exactly right. Cisco has become the 800-pound gorilla in the Networking World. Cisco's latest business model reminds me of a company based in Redmond, Washington. It seems the Cisco Systems mantra is, "Release this product now so we can make Quarter whatever profit, we can always release a patch later". A good example of that what Cisco Works LMS 2.5. Unfortunately for people relying on the integrity of Cisco's product and hardware/software specifications... we get shafted. Cisco used to be a reputible company to work with and for, I feel sorry now for any 'tech' who works for Cisco now.