Block instant messaging with Pix 7?

I upgraded my Cisco Pix 515 to OS version 7.04 a while ago because Cisco has all sorts of marketing up on their site claiming that it can block instant messaging.

Well, I've found a lot of marketing material on their site, but I haven't been able to find any actual documentation on how to do it. Does anyone have experience with this? It would be much appreciated.

Thanks, Marc

Reply to
Marc Teale
Loading thread data ...

I recently installed 7.04 and I noticed it has "inspection engines" that allow for layer 4-7 inspection. So it should come with some facility to detect and block popular instant messaging protocols via application layer

7 inspection. Check the PIX 7.04 ASDM docs, it should mention something.

You could always just block the ports some popular instant messaging services run on. Here is a list of a few:

AIM

5190 - 5193

MSN Messenger (Including Voice)

6901, 6891-6900

Yahoo

5050

You can find more on Google.

Reply to
Nicholas DePetrillo

Pretty sure all those services will fall back to port 80 if you block those ports. One trick we used to do before we had firewalls that could identify that traffic regardless of port, was to permit them but rate limit them to such a degree that they're useless for practical puposes. By permitting them you prevent the fallback to alternate ports but at 1kbps, when mulitple users hit the service it's almost completely useless.

-Russ.

Reply to
Somebody.

That's a good point, they are sneaky.

I haven't checked my PIX ASDM yet but I am sure that the inspection engine/layer 4-7 inspection usage is in the documentation for the PIX. It should not be that hard to get going.

Reply to
Nicholas DePetrillo

After much searching, I found the "port-misuse" command in the Cisco Security Appliance Command Reference 7.0.4.

When you're in http-map configuration mode, enter:

port-misuse im drop log

This will prevent Yahoo Messenger, AIM, and MSN from hiding their packets in HTTP traffic, but can really impair performance on the Pix.

Which is all great... but unless there's some other global way to check packets, I'll still need to block several ranges of ports, and not be certain that this will work.

Marc Teale

Reply to
Marc Teale

Correction - that command should be:

"port-misuse im action drop"

Reply to
Marc Teale

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.