• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Active direcory and firewall

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Wed Aug 18, 2010 1:07 pm    Post subject: Active direcory and firewall Reply with quote

Hello all,

I been asked to block all internal users from accessing internet if they are not authenticated by active directory. Could you please assist me on doing that ASAP? we have active directory and cisco ASA firewall

your assistance will be appreciated

Thanks
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Wed Aug 18, 2010 2:10 pm    Post subject: Reply with quote

mamo,

It's been a while since I touched anything Cisco but I can't remember that functionality ever being in the PIX. What you should look at is implementing a Web Proxy using something like ISA server. This will allow you specify who can access the web and under what restrictions you place e.g. authentication status, time of day etc.

Fire Ant
Back to top
View user's profile Send private message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Thu Aug 19, 2010 1:10 pm    Post subject: Reply with quote

Thanks Fire Ant for your input, i dont know if the company are willing to add isa, but i was thinking if we could use something like tacacs/radius
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Thu Aug 19, 2010 1:38 pm    Post subject: Reply with quote

mamo,

The TACACS and Radius support on the Pix is for authenticating management sessions only and not for authenticating users TCP/UDP connections.

Fire Ant
Back to top
View user's profile Send private message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Thu Aug 19, 2010 3:51 pm    Post subject: Reply with quote

Hello Fire Ant,

Other thing, is it possible to block streaming and chat using cisco ASA?

Thanks alot
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Thu Aug 19, 2010 3:59 pm    Post subject: Reply with quote

Mamo,

It depends whether which port they are using. I recall that products like MSN Messenger use HTTP to transmit and receive chat data making it hard to block because you don't want block port 80 and stop normal web browsing.

I suggest using a most restrictive firewall policy. The last ACL should be an explicit deny all and the preceding ACLs should be something like:

Allow 443 from internal-pcs to external
Allow 80 from internal-pcs to external
Deny all from any to any

Fire Ant
Back to top
View user's profile Send private message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Thu Aug 19, 2010 4:36 pm    Post subject: Reply with quote

Thanks Fire Ant,

I just found these online:

AOL Instant Messenger uses TCP 5190
ICQ (old client) uses UDP 4000
ICQ uses TCP 5190
IRC uses TCP 6667
MSN uses TCP 1863
Net2Phone uses UDP 6801

i am gonna try to block them by acl to see if they gonna work, also would like to know if there a way to block streaming

your assistance is greatly appretiated
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Thu Aug 19, 2010 4:51 pm    Post subject: Reply with quote

Mamo,

You can specifically deny these ports if you wish however it is more effective to use the explicit deny. If you are just getting to grips with ACLs then its worth implementing them and testing them yourself. For example blocking the ports to all computers except your own. Remember that ACLs are read in order so:

1 - Deny ALL to external on TCP 5190
2 - Allow my-pc to external on TCP 5190

The 1st take precedence.

Streaming can be blocked, again using the explicit deny and explicitly allowing only the ports that's you need will do. If you want to get into specifically blocking the streaming then you will need to block certain UDP ports.

The reason I recommend only allowing what you need and blocking everything else with one big DENY statement at the end is that is very easy to understand. Also, it means that if anyone starts using a new product which uses a different port then you don't have to change your firewall rule in the future because you block it already.

Good luck and have fun.

Fire Ant
Back to top
View user's profile Send private message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Thu Aug 19, 2010 5:13 pm    Post subject: Reply with quote

Fire Ant,

All access list that we have from inside to outside are very specific, and also we have this acl:

access-list inside_access_in extended permit object-group Web 172.16.0.0 255.255.0.0 any

and object-group web has (http, https, dns), is that what allows inside to connect to internet? because i think it services to connect to should be at the end of acl, am i right ? i mean it should be like this:

access-list inside_access_in extended permit 172.16.0.0 255.255.0.0 any eq object-group Web

and from what you said in your reply, we have an implicit deny, that would blocked anything not allowed, but i still able to use msn


thanks a lot
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Thu Aug 19, 2010 6:34 pm    Post subject: Reply with quote

You can also invest into a firewall device such as a Sonicwall TZ 210 which has the LDAP functionality you are looking for.
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Fri Aug 20, 2010 4:55 pm    Post subject: Reply with quote

ISA/Squid and most any web proxy software that can be configured for LDAP access can be configured to deny access to un-authenticated users. I web proxy would also allow you to block those sites that offer IM over the web, such as meebo.
Back to top
View user's profile Send private message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Fri Aug 20, 2010 10:57 pm    Post subject: Reply with quote

Thank you guys for your suggestions. If I opte for isa (never worked with it though), what would be its placement ? is it behind firewall?

thanks
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Fri Aug 20, 2010 11:57 pm    Post subject: Reply with quote

Mamo,

The traffic flow would something like this:

Code:
Internet<->Firewall<->Web Proxy<->Internal PCs


If you choose not to use ISA there are plenty of other Web Proxy solutions which will do the job like Squid. As PhiBer also mentioned the SonicWall firewall which has LDAP integration.

Good luck,

Fire Ant
Back to top
View user's profile Send private message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Sun Aug 22, 2010 1:07 pm    Post subject: Reply with quote

Thanks much Fire Ant
Back to top
View user's profile Send private message
mamo
Just Arrived
Just Arrived


Joined: 18 Aug 2010
Posts: 0


Offline

PostPosted: Wed Aug 25, 2010 10:29 pm    Post subject: Reply with quote

Hello all,

I added the following configuratioon to asa to block messengers:
===========================
class-map imblock
match any
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map im_policy
class imblock
inspect im impolicy
service-policy im_policy interface inside
============================

when i checked logs, i found the following:

Aug 23 2010 11:55:17: %ASA-4-106023: Deny tcp src inside:172.16.32.36/54007 dst outside:64.4.9.254/1863 by access-group "inside_acce

but i am still able to use msn im, is there something missing?

Thanks for your input
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Thu Aug 26, 2010 11:34 am    Post subject: Reply with quote

Mamo,

I suspect that MSN also uses port 80 to communicate. You can check this by installing something like WireShark on your computer to capture the packets.

Fire Ant
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register