A CiscoPIX 501 and a Dream...

Hello People,

I have a Cisco PIX 501 and a dream...

I am not so concerned with malicious INBOUND traffic. My concern is with the risks from trojans and keyloggers etc - traffic EXITING my PC. I'm thinking that if I deny ALL outbound traffic then allow on a connection(port) by connection basis that I can see both what is trying to exit and then better understand and control it.

I would like to know how I can FIRST deny ALL outbound traffic from exiting my PC.

QUESTION: What is the syntax to stop ALL outbound traffic? Is it: "access-list deny_outbound deny tcp any any eq"? Then: "write mem" or "write memory" to set the changes?

Once all outbound traffic is denied I would like to allow traffic to exit on a port by port basis.

Right off I know that I want to allow outbound traffic to exit from port 80, 21, etc. What is the syntax for this? (I understand that a trojan or keylogger can be configured to use HTTP port 80, or other "trusted" ports" but that is for another post in another newsgroup.)

QUESTION: Please, what is the syntax for opening port 80 after it being closed by the "deny" command? And how do I seal the deal after entering that command - write mem?

From the command prompt:
  1. enable
  2. config t
  3. ....
  4. .....
  5. "write memory


Does anyone have the foggiest clue what I'm asking and how I might better do what I'm trying to do?

Please help me realize my dream. And thank you so much to the people that have helped me get this far, I seriously appreciate it. This stuff is pretty tricky and most of my friends are criminal types that are either in jail or don't have Cisco PIX's.


PS: To those that think that because they know more about something than someone else that they have the right to be smart asses.. You don't. Saying things like "just don't install keyloggers" is pretty stupid but let me point out the obvious. People don't install keyloggers on their own machines then ask how to protect against them. Well, maybe people by where you live but not where I'm from.

PPS: To those that can't tell that I'm kinda joking around and kinda serious and kinda frustrated etc... Don't worry about it, it's just a Usenet post, nothing to get exited about and guess what? You don't have to reply if you don't want to!!!!!! Seriously, you can just click on the next post and I swear you'll be ok!

PPPS: In case it's not obvious some fools give me shi* for my lack of firewall knowledge to the point of emailing me, suggesting that I give up computing etc.. It's kinda funny but a little scary at the same time...

Reply to
Networking Student
Loading thread data ...

You can't stop them externally. You can't stop them on the host. The only solution is to not install those malware. The hardware to enforce this policy is called 'Brain 1.0' and can't be ordered seperatly.

That's always a good idea. But this do not stop malware from harming your system.

deny ip any any

access-list deny_outbound line 1 perm tcp any host proxy eq 3128

So your spyware is allowed to transfer data to outside and your malware can update themself. Futhermore your worms can infect other systems out there.

The "line x" option does help.


Clean your system and do not click on every icon which does not disappear instantanously from the desktop.

No, it's the only solution.

Which universe do you come from? Is there a way to get into?

It would be enough to read the documentation. But maybe you can't reach

formatting link
not from your universe. What a pitty.

Reply to
Lutz Donnerhacke

Short answer is you can't stop it with a Pix. Even if you were to block everything except for a few ports such as dns, pop, www, daily used stuff etc the viruses/keyloggers would simply use those ports you have open. While a lot of viruses these days have a "signature" they use random ports and will scan until they find something open. To stop them you would need some type of inline anti-virus/malware scanner, symantec etc.

Reply to
Brian V

Hiya Lutz!

What a fine example of your kind you are. The kind who supposedly know more about something than someone and enjoy trying to bust balls! What kind of name is "Lutz" anyway, lol. "Lutz" - LOL, it sounds like slang for an ass affliction. Oh, and thanks for the cisco.com tip, I wouldn't have thought of that. What a great resource for a newbie like myself with nothing but time on my hands! I'll just drop everything and immerse myself so I can be an expert overnight! Wait, it's more complicated than I thought, maybe I'll try posting some questions to a newsgroup? Wait, "Lutz" is there and he's an asshole. You are the type that believes it's an instructors right to try and humiliate the student as he instructs. Much can be gleaned from your stupid reply - about you, where you are from, your social status, your love life, lol. Oh well, I guess I'll just weed out the dime a dozen internet "Lutz's" and learn from the rest, lol.

Reply to
Networking Student

Well I'm at a loss then.. I bought the Cisco to improve my security, I see that it is highly configurable yet I can not seem to figure out a SINGLE thing I can do beyond the default configuration to improve my security. I do have Ad Aware, Ad Watch, Spy Sweeper and Zone Alarm. And !avast antivirus. There does not seem to be a simplistic "how to" around for absolute Cisco beginners like myself. The idiot above, Luzt, suggests cisco.com as if I have not been ther 50 times or done 50 "Cisco PIX 501 beginner etc" searches. Well thanks for your answer Brian V, I won't spend any more time on that concept, lol. Thanks again.


Reply to
Networking Student

Thank you. Beside you deleted all the useful tips, here a FAQ on this subject. It even mentions "Zone Alarm".

formatting link

Reply to
Lutz Donnerhacke

Configure your PIX to block all outgoing traffic except that going to sites and ports that you are willing to trust. It is a trade-off between convenience and security: every time you decide you want to see a new site, you would have to add it to the permitted list.

Consider that by the time that a packet makes it on to the network, there is no way for an outside device to know whether the packet was originated by a "good" program or a "bad" program: the best the outside device can do is to check to see whether you've decided to trust the destination (even if only by default, if you haven't blocked it.)

Unfortunately, although software that runs right on your machine might have a chance of determining whether the source was a "good" program or a "bad" program, that software is subject to being subverted by the "bad" programs, whether that's by the "bad" program altering the data files for the checking program, or by the "bad" program altering the checking program itself, or by the "bad" program altering the operating system (or by more subtle means like the program altering the alternate data stream for a file.) In particular, "Windows Firewall" is not to be trusted by itself: there are too many programs around that know how to tell Windows Firewall that they are trusted programs... or to just bypass the entire firewall layer.

You mentioned a PIX 501, which implies PIX 6.x operating system. The PIX 515, 515E, 525, and 535, and the Cisco ASA 55x0 series, can run 7.x software, which is able to monitor data flows to see whether the kind of data being sent through matches the kind of data to be expected for that port. This would catch programs that used port 80 (because it is often open) but did not talk http over the port. Unfortunately, there are lots of ways to embed pretty much any information transfer you want into http and the inspection agents would not be able to tell whether it is "good" data or "bad" data.

Computing theory tells us that there is no *reliable* way to be able to exchange general purpose information such that the exchange cannot be used to covertly communicate unwanted data (e.g., your passwords).

Even humans have trouble determining whether any given program is a "good" program or a "bad" program -- and the same data, transfered to the same place, might be used for beneficial or harmful purposes. Furthermore, what one person sincerely considers beneficial can be what a different person sincerely considers harmful.

Reply to
Walter Roberson

Thanks Walter, I have learned more from you than anyone by far and I truly appreciate your answers.

Reply to
Networking Student

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.