on the edge PIX, i noticed a lot of traffic generating on port TCP 445 and 139, and when i checked on the internet i found that these ports are malicious and dangerous but when i block them on the internal interface the browsing stops.
NetBIOS Session (TCP), Windows File and Printer Sharing
This is one of the most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port.
Port 445 SMB
In Windows 2000, Microsoft has created a new transport for SMB over TCP and UDP on port 445. This replaces the older implementation that was over ports 137, 138, 139.
Your Pix should be by default be blocking these inbound. If you block these outbound as well, you will loose browsing capabilities to networks past the internat network. I would say a security conscientious individual would block these outbound as well. It basically boils down to risk assessment. Do your users really need this functionality? What happens if there is an intrusion as a result? etc.
What browsing are you doing outbound? if you are browsing computers outside you need to be careful. you can put in an access list that permits it outbbound only to specific hosts or networks. You need to set up a unified defense and the IPS must work in concert with the PIX.
Blocking 445 at the firewall is relatively easy and solves many problems. The real issue with 445 internal.
445 needs to be open in Windows environments and is a prime conduit for the spread of malware internally. apart from this i have enlisted few more ways here which are also useful in preventing the malware spread.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :