Active direcory and firewall
Goto page 1, 2  Next  :||:
Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: mamo PostPosted: Wed Aug 18, 2010 1:07 pm    Post subject: Active direcory and firewall
Hello all,

I been asked to block all internal users from accessing internet if they are not authenticated by active directory. Could you please assist me on doing that ASAP? we have active directory and cisco ASA firewall

your assistance will be appreciated


Author: Fire AntLocation: London PostPosted: Wed Aug 18, 2010 2:10 pm    Post subject:

It's been a while since I touched anything Cisco but I can't remember that functionality ever being in the PIX. What you should look at is implementing a Web Proxy using something like ISA server. This will allow you specify who can access the web and under what restrictions you place e.g. authentication status, time of day etc.

Fire Ant

Author: mamo PostPosted: Thu Aug 19, 2010 1:10 pm    Post subject:
Thanks Fire Ant for your input, i dont know if the company are willing to add isa, but i was thinking if we could use something like tacacs/radius

Author: Fire AntLocation: London PostPosted: Thu Aug 19, 2010 1:38 pm    Post subject:

The TACACS and Radius support on the Pix is for authenticating management sessions only and not for authenticating users TCP/UDP connections.

Fire Ant

Author: mamo PostPosted: Thu Aug 19, 2010 3:51 pm    Post subject:
Hello Fire Ant,

Other thing, is it possible to block streaming and chat using cisco ASA?

Thanks alot

Author: Fire AntLocation: London PostPosted: Thu Aug 19, 2010 3:59 pm    Post subject:

It depends whether which port they are using. I recall that products like MSN Messenger use HTTP to transmit and receive chat data making it hard to block because you don't want block port 80 and stop normal web browsing.

I suggest using a most restrictive firewall policy. The last ACL should be an explicit deny all and the preceding ACLs should be something like:

Allow 443 from internal-pcs to external
Allow 80 from internal-pcs to external
Deny all from any to any

Fire Ant

Author: mamo PostPosted: Thu Aug 19, 2010 4:36 pm    Post subject:
Thanks Fire Ant,

I just found these online:

AOL Instant Messenger uses TCP 5190
ICQ (old client) uses UDP 4000
ICQ uses TCP 5190
IRC uses TCP 6667
MSN uses TCP 1863
Net2Phone uses UDP 6801

i am gonna try to block them by acl to see if they gonna work, also would like to know if there a way to block streaming

your assistance is greatly appretiated

Author: Fire AntLocation: London PostPosted: Thu Aug 19, 2010 4:51 pm    Post subject:

You can specifically deny these ports if you wish however it is more effective to use the explicit deny. If you are just getting to grips with ACLs then its worth implementing them and testing them yourself. For example blocking the ports to all computers except your own. Remember that ACLs are read in order so:

1 - Deny ALL to external on TCP 5190
2 - Allow my-pc to external on TCP 5190

The 1st take precedence.

Streaming can be blocked, again using the explicit deny and explicitly allowing only the ports that's you need will do. If you want to get into specifically blocking the streaming then you will need to block certain UDP ports.

The reason I recommend only allowing what you need and blocking everything else with one big DENY statement at the end is that is very easy to understand. Also, it means that if anyone starts using a new product which uses a different port then you don't have to change your firewall rule in the future because you block it already.

Good luck and have fun.

Fire Ant

Author: mamo PostPosted: Thu Aug 19, 2010 5:13 pm    Post subject:
Fire Ant,

All access list that we have from inside to outside are very specific, and also we have this acl:

access-list inside_access_in extended permit object-group Web any

and object-group web has (http, https, dns), is that what allows inside to connect to internet? because i think it services to connect to should be at the end of acl, am i right ? i mean it should be like this:

access-list inside_access_in extended permit any eq object-group Web

and from what you said in your reply, we have an implicit deny, that would blocked anything not allowed, but i still able to use msn

thanks a lot

Author: PhiBerLocation: Your MBR PostPosted: Thu Aug 19, 2010 6:34 pm    Post subject:
You can also invest into a firewall device such as a Sonicwall TZ 210 which has the LDAP functionality you are looking for.

Author: ryansuttonLocation: San Francisco, California PostPosted: Fri Aug 20, 2010 4:55 pm    Post subject:
ISA/Squid and most any web proxy software that can be configured for LDAP access can be configured to deny access to un-authenticated users. I web proxy would also allow you to block those sites that offer IM over the web, such as meebo.

Author: mamo PostPosted: Fri Aug 20, 2010 10:57 pm    Post subject:
Thank you guys for your suggestions. If I opte for isa (never worked with it though), what would be its placement ? is it behind firewall?


Author: Fire AntLocation: London PostPosted: Fri Aug 20, 2010 11:57 pm    Post subject:

The traffic flow would something like this:

Internet<->Firewall<->Web Proxy<->Internal PCs

If you choose not to use ISA there are plenty of other Web Proxy solutions which will do the job like Squid. As PhiBer also mentioned the SonicWall firewall which has LDAP integration.

Good luck,

Fire Ant

Author: mamo PostPosted: Sun Aug 22, 2010 1:07 pm    Post subject:
Thanks much Fire Ant

Author: mamo PostPosted: Wed Aug 25, 2010 10:29 pm    Post subject:
Hello all,

I added the following configuratioon to asa to block messengers:
class-map imblock
match any
policy-map type inspect im impolicy
match protocol msn-im yahoo-im
drop-connection log
policy-map im_policy
class imblock
inspect im impolicy
service-policy im_policy interface inside

when i checked logs, i found the following:

Aug 23 2010 11:55:17: %ASA-4-106023: Deny tcp src inside: dst outside: by access-group "inside_acce

but i am still able to use msn im, is there something missing?

Thanks for your input

Author: Fire AntLocation: London PostPosted: Thu Aug 26, 2010 11:34 am    Post subject:

I suspect that MSN also uses port 80 to communicate. You can check this by installing something like WireShark on your computer to capture the packets.

Fire Ant

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page 1, 2  Next  :||:
Page 1 of 2

Powered by phpBB 2.0.x © 2001 phpBB Group