Announcement

Collapse
No announcement yet.

Block MYSpace with Cisco 851?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Block MYSpace with Cisco 851?

    Hello,

    I am looking to block Myspace from a section of our corperate network, we have multiple cisco routers, I want to start with the 851 it handles the section I am working with.

    After reading this posting about the blocking of myspace it appears to be a bigger pain then I thought.

    http://www.softwaretipsandtricks.com...space-com.html

    It says to add a list of IP's to the outbound packet filter settings, the trouble with that is there are so many IP's and Proxies etc... all over the net it is impossible to block find them all.

    Can I set the firewall to block some crazy wildcards like *.*myspace*.com, *.*myspace*.net?

    This is a really annoying problem that I want to deal with once and be done with it.

    We also have a Pix 506e, ASA5510, and 2800 series.

    Thanks in advance

    Ben Parker

  • #2
    Re: Block MYSpace with Cisco 851?

    You could either purchase a web filtering product such as Websense (best of breed IMO) or you could simply add an entry in your workstation HOSTS files pointing www.myspace.com at a local web server hosting a block-page...


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Block MYSpace with Cisco 851?

      I looked at the host file situation, if I add 127.0.0.1 www.myspace.com this still allows the user to go to myspace.com, pics.myspace.com, videos.myspace.com etc....

      I looked for all subdomains of myspace.com and got a list of 30-40 or so and blocked all of those, a quick google seach and few clicks later I was at Myspace.com surfing content again.

      The host file approach requires too much administration for my situation, the segment I am working on is only 10-15 pc's but my whole network is over 120 pc's then there are laptops, blackberry's etc...

      We already run Spector360 on the largest segment of our network which does block most of myspace although somebody could proxy around that pretty easily. Again this solution is high overhead and administration. Also we do not want to expand the coverage of the spector software to the additional segments of our network.

      Comment


      • #4
        Re: Block MYSpace with Cisco 851?

        hmmm it isn't that easy to block. If you know the used ipaddresses you can create an ACL with a deny to the ipaddresses.

        Websense is in my opinion the way to go.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Block MYSpace with Cisco 851?

          I went to DNSStuff.com and did some research, it appears that myspace owns the ip range of 216.178.32.0 - 216.178.47.255 I have seen and they are using a whole bunch of these IP's


          WHOIS - 216.178.38.130
          Email link to resultsGenerated by www.DNSstuff.com


          Location: United States [City: Olympia, Washington]


          OrgName: Myspace.com
          OrgID: MYSPA
          Address: 1333 2nd Dt Suite 100
          City: Santa Monica
          StateProv: CA
          PostalCode: 90401
          Country: US

          NetRange: 216.178.32.0 - 216.178.47.255
          CIDR: 216.178.32.0/20
          NetName: MYSPA-2
          NetHandle: NET-216-178-32-0-1
          Parent: NET-216-0-0-0-0
          NetType: Direct Assignment
          NameServer: NS1.MYSPACE.COM
          NameServer: NS2.MYSPACE.COM
          Comment:
          RegDate: 2006-05-22
          Updated: 2006-05-22

          OrgTechHandle: MYSPA-ARIN
          OrgTechName: MySpace NOC
          OrgTechPhone: +1-310-215-1001
          OrgTechEmail: ***@myspace.com

          # ARIN WHOIS database, last updated 2008-01-14 19:07
          # Enter ? for additional hints on searching ARIN's WHOIS database.

          What would the ACL entry look like if I want to try this?

          Thanks

          Comment


          • #6
            Re: Block MYSpace with Cisco 851?

            It would look something like this:

            access-list 101 deny ip any 216.178.0.0 0.0.255.255 any

            Comment


            • #7
              Re: Block MYSpace with Cisco 851?

              Do I put the deny's first or last or doesn't matter?

              here is a snippit of my config.

              ip access-list extended Internet-inbound-ACL
              deny ip any 216.178.0.0 0.0.255.255 any
              permit icmp any any echo
              permit icmp any any echo-reply
              permit icmp any any traceroute
              permit gre any any
              permit esp any any

              Comment


              • #8
                Re: Block MYSpace with Cisco 851?

                It looks fine to me the way it is. Make sure you have a copy of the original config that you can put back quickly in case you have problems.

                I think you will need a "permit ip any any" on the last line as without it the router will use a default "deny ip any any".

                Comment


                • #9
                  Re: Block MYSpace with Cisco 851?

                  It kinda works...from the Cisco CLI I cannot ping www.myspace.com although I can ping www.google.com so I think that the traffic is getting denied.

                  From a dos prompt I can ping www.myspace.com

                  Using my laptop www.myspace.com comes right up, using netstat I can see that some of my connections include the 216.178.0.0 network.

                  I did a show running-config to double check that the deny statements were included and they are.

                  Here is my config minus the passwords...

                  Code:
                  service password-encryption
                  hostname MSM
                  enable secret ********
                  enable password ********
                  aaa new-model
                  aaa authentication login default local
                  aaa authorization exec default local
                  aaa session-id common
                  ip http server
                  ip http secure-server
                  line con 0
                   password ********
                  line vty 0 4
                   password ********
                  ip domain name MSM
                  ip domain lookup
                  username administrator privilege 15 password ********
                  banner login ^Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^
                  ip dhcp excluded-address 192.168.1.1 192.168.1.50
                  service dhcp
                  ip dhcp pool Internal-net
                     network 192.168.1.0 255.255.255.0
                     default-router 192.168.1.1
                     import all
                     dns-server 216.220.230.24 216.220.230.25
                     domain-name MSM
                     lease 4
                  access-list 1 permit 192.168.1.0 0.0.0.255
                  ip nat inside source list 1 interface FastEthernet4 overload
                  interface FastEthernet4
                   ip address 216.220.228.125 255.255.255.224
                   ip tcp adjust-mss 1460
                   ip nat outside
                   no cdp enable
                  ip cef
                  ip inspect name MYFW tcp
                  ip inspect name MYFW udp
                  ip domain name MSM
                  ip name-server 216.220.230.24
                  ip name-server 216.220.230.25
                  ip route 0.0.0.0 0.0.0.0 216.220.228.97
                  interface FastEthernet0
                   spanning-tree portfast
                  interface FastEthernet1
                   spanning-tree portfast
                  interface FastEthernet2
                   spanning-tree portfast
                  interface FastEthernet3
                   spanning-tree portfast
                  bridge irb
                  interface Vlan1
                   description Internal Network
                   ip nat inside
                   ip virtual-reassembly
                   bridge-group 1
                   bridge-group 1 spanning-disabled
                  interface BVI1
                   description Bridge to Internal Network
                   ip address 192.168.1.1 255.255.255.0
                   ip nat inside
                   ip virtual-reassembly
                  bridge 1 route ip
                  int f0
                   no shut
                  int f1
                   no shut
                  int f2
                   no shut
                  int f3
                   no shut
                  int f4
                   no shut
                  ip inspect name MYFW tcp
                  ip inspect name MYFW udp
                  ip access-list extended Internet-inbound-ACL
                   deny ip 216.178.0.0 0.0.255.255 any
                   deny ip any 216.178.0.0 0.0.255.255
                   permit udp host 216.220.230.25 eq domain any
                   permit udp host 216.220.230.24 eq domain any
                   permit icmp any any echo
                   permit icmp any any echo-reply
                   permit icmp any any traceroute
                   permit gre any any
                   permit esp any any
                  interface FastEthernet4
                   ip inspect MYFW out
                   ip access-group Internet-inbound-ACL in
                  END

                  Comment


                  • #10
                    Re: Block MYSpace with Cisco 851?

                    Well, I'm not a Cisco expert but here goes:

                    your pings work because you are allowing icmp echo and icmp echo requests (which are not processed by your myspace rule because it is an ip rule).

                    Try putting the access-list on the WAN interface outbound.

                    Comment


                    • #11
                      Re: Block MYSpace with Cisco 851?

                      First of all, IP is not ICMP.
                      If you want to deny ICMP to the range you need to create a explicit deny with ICMP as protocol.
                      Also you give a deny to 216.178.0.0 /16. Isn't that a bit much?
                      216.178.32.0 - 216.178.47.255 /20 so: 216.178.32.0 0.0.15.255

                      Next you need to add deny rules above allow rules. Rules are processed from top to bottom.

                      So my deny rules would look like:

                      Deny IP any 216.178.32.0 0.0.15.255 any
                      Deny ICMP any 216.178.32.0 0.0.15.255 any
                      Last edited by Dumber; 16th January 2008, 16:51. Reason: typo
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Block MYSpace with Cisco 851?

                        If someone's using a proxy @ work, they should be busted for it IMHO. Can't see any normal employee using one. Systems should be locked down more, or common proxies blocked.

                        As for myspace, we just pushed out a host file to all the PCs, problem solved. No real upkeep to speak of.

                        And for one particular naughty user, we used to redirect them via host file to the old bonsai kitten website (read more about this hoax here). While they never complained to IT, they did call up the host and ask why they kept getting redirected to that site... couldn't stop laughing for hours Same person said their manager said they could surf any website they wanted (IT sets policies lady, not your manager). Their reason for wanting to surf the net? "I have no work to do for 6 hours (out of each day." Needless to say, they didn't work there much longer...
                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Block MYSpace with Cisco 851?

                          With all due respect, I don't believe that it should be the position of IT to set policy. The business should be setting the policy and IT should be providing guidance in that endeavor and enforcing policy. As an IT professional, I don't want to be the arbiter of what is and what isn't acceptable use of the computing systems at work. I want to provide guidance in regards to security, reliability, stability, performance, etc. as it applies to the AUP, but I don't want to determine for the rest of the business what is or is not ethical, moral, etc. A manager should set policy regarding what is and is not acceptable computing behavior for his or her employees, not me.

                          Comment


                          • #14
                            Re: Block MYSpace with Cisco 851?

                            stylus277:

                            From the info you provided, they own only a partial range of what you're blocking. There may be other sites and/or services within that range that you may want to access in the future. Change the mask to 0.0.15.255 on whatever types of traffic you choose to block on that ip range. (Wildcard Mask Calculator rocks) Props to Dumber for being the first to mention the subnet's range

                            It's been EONS since I looked at a cisco interface, but I THINK you need to make that change to the ACL, and it may be beneficial to block www / port 80 on that vlan or port or whatever. I'm not gonna pull out equipment at 1:30 AM to refresh my memory

                            As for blocking the ping, I think he's more interested in blocking end users from visiting the website and less interested if they attempt to ping it


                            Originally posted by joeqwerty View Post
                            I want to provide guidance in regards to security, reliability, stability, performance, etc.
                            Depends on circumstances. While yes, upper management and IT should set policies, what if they want to do somthing innocuous that will hurt the company? Example: Streaming music from myspace. This is using up company bandwidth and can cause issues on the network.

                            We recently set up a new network for part of our company that split off, and they wanted full internet access (this is coming from the top execs). Our top IT guy said No, we're keeping the network secure by blocking certain sites. We reminded them why we lock the network down.

                            Yes, top brass should already have an acceptable computer use policy in place, but these policies are never specific to certain sites, just the types of sites and/or maybe mentioning that acceptable sites need to be work related. At a certain level top brass has to depend on the experience of IT about what to block and what not to block. There's always ways around policies though. Example: We have a St. Bernard web filtering tool. If a user wants to get access to a blocked site, they simply fill out the form that's in place of said blocked site. It basically asks who are you and why do you want access to the site. It then goes through an approval process.
                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: Block MYSpace with Cisco 851?

                              Wow alot of interesting stuff here when I got in this morning.

                              Thanks Dumber for the info on the subnet mask

                              I am still getting Myspace loud and clear, I have tried a couple different deny statements but it doesn't seem to work. My most recent attempt is "deny tcp 216.178.32.0 0.0.15.255 any eq 80" but no luck.

                              joeqwerty

                              Try putting the access-list on the WAN interface outbound.
                              Looking at my config I posted earlier how would I add an ACL to my Wan interface which is fast ethernet 4?


                              As far as our company computer usage policy and who has control our upper management and HR management have written computer usage policys that cover internet, personal use, and unauthorized software. As the IT pee-on I am happy to have this policy in black and white so that if I am enforcing something a user doesn't like I can pass the buck and say discuss it with your manager. The statements in our policy are generic as well not calling out specific web sites or software.

                              One instance that comes to mind is a manager requested that I really lock down a users workstation, after I got called by the user to update adobe, re-install winzip, and install windows updates he question if there was some reason he could no longer do these types of tasks. I had to come clean and tell him that his profile was locked down, he got all fired up. I was able to calmly state that this decision came from way above me and he should speak to his manager it was end of story and there was no bad blood between us because he realizes that I am just doing my job as instructed by my management.

                              Comment

                              Working...
                              X