Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX 515 and Outbound Security
- Thread starter mofusjtf
- Start date
A couple of thoughts..
1) Outbound ACLs are how my orginization blocks certain websites & ports for IM services.
2) Outbound ACLs can be used as a second layer of security, blocking worms from leaving your enterprise after you are already infected, so that you do not continue to infect the rest of the world.
Computer/Network Technician
CCNA
1) Outbound ACLs are how my orginization blocks certain websites & ports for IM services.
2) Outbound ACLs can be used as a second layer of security, blocking worms from leaving your enterprise after you are already infected, so that you do not continue to infect the rest of the world.
Computer/Network Technician
CCNA
Kurt111780
Technical User
Hello:
ACLs sound really good and really important. We just got a pix515 and have net setup ACLs yet. Is this difficult?
Kurt
It's only easy if you know how.
ACLs sound really good and really important. We just got a pix515 and have net setup ACLs yet. Is this difficult?
Kurt
It's only easy if you know how.
It's actually pretty simple when you understand how to write them...
Here is a Link to the FAQ I wrote on them.
Computer/Network Technician
CCNA
Here is a Link to the FAQ I wrote on them.
Computer/Network Technician
CCNA
- Thread starter
- #5
Using these ACL's is it possible to prevent spyware from communicating out if an internal system gets infected? Typically with a product like ISA I would only allow the necassary protocols out like http(s), SMTP, POP, FTP etc. I assume that is the same as using ACL's to limit ports/protocols.
Kurt111780
Technical User
Hello:
Great FAQ but how do I setup a list to only allow the out bound traffic that we need?
Kurt
It's only easy if you know how.
Great FAQ but how do I setup a list to only allow the out bound traffic that we need?
Kurt
It's only easy if you know how.
same exact thing...
you write it the exact same way.. source address first, destination address second, but apply it to the inside interface..
so the source would become the internal network or host, and the destination would be the internet IP.
Computer/Network Technician
CCNA
you write it the exact same way.. source address first, destination address second, but apply it to the inside interface..
so the source would become the internal network or host, and the destination would be the internet IP.
Computer/Network Technician
CCNA
Outbound ACLs are as valuable as inbound ones. Some things to consider blocking:
Outbound traffic with source addresses not on your network (spoofing).
All Microsoft protocols (135,137,139,445..)
SMTP from a source other than your internal mail servers.
Source service ports not originating at the proper servers (80,21,25 etc).
The only difference between an inbound and an outbound acl is where it's applied. If you know router ACLs you won't have any problem with the Pix. Just remember that the Pix only applies an ACL to an interface as inbound (there's no "access-group xxx out").
Outbound traffic with source addresses not on your network (spoofing).
All Microsoft protocols (135,137,139,445..)
SMTP from a source other than your internal mail servers.
Source service ports not originating at the proper servers (80,21,25 etc).
The only difference between an inbound and an outbound acl is where it's applied. If you know router ACLs you won't have any problem with the Pix. Just remember that the Pix only applies an ACL to an interface as inbound (there's no "access-group xxx out").
I won't set up a firewall without both inbound and outbound ACLs for all the good reasons already noted. The pain comes up when you have to "lock down" a non-restricted path. The only way I have found reasonable is to setup logging to a syslog server and collect data (at level 6 or 7) on what traffic is passed. Once you have some data to work with, sift through it (manually if you have to, or using some shell scripts to sort and pull out only unique data), and write rules to permit those items you want to let out. If you are sure you have everything, cool, otherwise iterate the process until you are confident that you can remove the "permit ip any any" rule. Using the suffix "log" on the "any any" rule will create a unique syslog ID 106100, allowing you to track traffic that passed that rule (cuts down on the analysis big-time).
I never use PDM (use access-list statements, it's easier).
I have always implemented inbound and outbound access-lists and it makes the overall network security so much stronger. I block all outgoing expcet explicitly permitted, HTTP, HTTPS, POP3 and SMTP plus AOL for my boss. Normally users should not need any more ports open than what I mentioned above.
I have always implemented inbound and outbound access-lists and it makes the overall network security so much stronger. I block all outgoing expcet explicitly permitted, HTTP, HTTPS, POP3 and SMTP plus AOL for my boss. Normally users should not need any more ports open than what I mentioned above.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question