Cisco PIX 515, help

[Gixxer]

Hey guys

I need some help configuring our FW. We have about 1500 nodes behind a Cisco 515r FW. Recently we have seen an increase of network traffic due to P2P progs and also IM (instatnt messaging) progs. I have tried to block specific traffic from these progs but they are constantly changing their IP's and port numbers. What I would like to do is to block all unused ports. From the research that I have done, it looks like if I block everything > 1024, I should not interfer with any "normal" network operations(DNS, telnet, SNMP, SMTP, ftp, etc.) What do you guys think????? Also, does anyone the syntax to do such a thing?

[R0n1n]

As long as you are not running any apps on higher ports you should be fine.

Although some P2P apps and IM progs can have a port specified, so could get around this using lower number ports. Couldn`t you just use a deny everything rule after all your other rules? I`m not sure, I can`t remember the PIX syntax...

[iNViCTuS]

the syntax is:

access-list <acl_name> deny tcp any any gt 1024

be very careful though. Many applications will legitimately use ports higher than 1024. My advice would be to monitor traffic through the PIX before deciding to use a rule like this. THe best solution would be to look at some type of content filtering solution like Websense. Many of these will allow you block IM traffic based on the database that is updated from the vendor. It is much easier than trying to do it manually. Also, a proxy server for outbound web traffic would allow you to have much greater control over traffic leaving your network because you could restrict all ports on your PIX except the web traffic coming directly from your proxy . Beware though, many IM programs now use HTTP an HTTP transport which can use a proxy. But, that is why I recommend using content filtering.