Friday, January 16, 2009

Blocking facebook and myspace with a Cisco PIX

Here at work we have problems with what I'll call non-productive distractions. Usually this means someone has been surfing all day on their facebook or myspace when they should actually be doing something productive such as work. I searched all over google and have rounded up some quick and easy answers for you. Here are the commands you need to block facebook and myspace with your Cisco PIX device through an access-list.

We'll name this access-list block

#Myspace
access-list block deny tcp any 216.178.32.0 255.255.240.0

#Facebook
access-list block deny tcp any 69.63.176.0 255.255.240.0
access-list block deny tcp any 66.220.144.0 255.255.240.0
access-list block deny tcp any 69.171.224.0 255.255.224.0
access-list block deny tcp any 204.15.20.0 255.255.252.0

#essential
access-list block permit udp any any
access-list block permit tcp any any
access-list block permit icmp any any

#When you're ready to apply the access-list
access-group block in interface inside

Enter in all of the lines that aren't commented (#) out and it should cut down most of the normal computer users. They will be able to get around this with proxies, but if you want to completely cut out facebook access to people who are really good at finding proxies, you'll have to purchase some better content protection software.

You will have to modify this to your uses. Some people want to restrict pinging, in which case you'd remove the permit icmp any any command. The three permits are crucial, and without them you will end up blocking everyone on the inside to anything on the outside. What we've done is blocked just a few things, and then allowed everything else but what we've blocked in. If you add more blocks, you need to make sure they come before the permits or else they won't be taken into effect.

If you're like me and want to take things a step further to see what your users have been up to, you can do a number of things with free open source software. Here is the suite that I use at my workplace.

Gentoo Linux Software
Snort - Intrusion Detection System
BASE - Web interface for snort

Cacti - Can measure various smtp figures from computers and apply them to a graph

Ntop - Very easy program to install that shows you almost everything you want to know about your network. It even shows you what websites each specific inside host is connected to.

I also have the cisco pix 501 that I'm using send its log data to my linux box utilizing syslog-ng. I e-mail the logs from the cisco box (ranging from access-list denials to critical malfunctions) to my linux box. This lets me keep on top of what's going on with our central router.

I use this all on an old p4 dell box with 2gig of memory. I run an ethernet cable to a managed switch that can mirror all data to the port that linux is connected to. This means that I mirror the port that's hooked up to my router and gives me access to all of the data before it goes to the outside world.

If you have any questions feel free to comment or send me an e-mail at JamesArhy@gmail.com
Posted by Techie #2 at 9:56 AM

10 comments:

  1. Techie #2April 29, 2009 at 1:34 PM

    Over 100 unique views and no comments, come on guys!

    ReplyDelete
  2. AnonymousMay 12, 2009 at 10:50 PM

    IT DOES NOT BLOCK FACEBOOK!

    ReplyDelete
  3. Techie #2May 21, 2009 at 9:29 PM

    Make sure you remember to apply it IN the inside interface. You want to block it as the request is going out. Also make sure that your permit code isn't above the deny on the acl. This block is tested to work at my location, that is facebook's network block.

    Thank you for the comment! I hope that you end up getting it to work :)

    ReplyDelete
  4. Techie #2May 22, 2009 at 6:14 AM

    I just tested it again today, the access list that I have listed here successfully blocks myspace and facebook as of today's date. I'm not sure what trompeo's deal is since he didn't elaborate, but it's working at my business.

    ReplyDelete
  5. Eric McQuaidAugust 3, 2009 at 2:28 PM

    69.36.176.0 should be 69.63.176.0, no?

    ReplyDelete
  6. NadaAugust 19, 2009 at 9:17 AM

    The Net Facebook is 69.63.176.0/21

    ReplyDelete
  7. Techie #2January 4, 2010 at 11:26 AM

    you are correct, thank you for the correction

    ReplyDelete
  8. ronniep611June 23, 2011 at 3:21 PM

    I tried this but it does not seem to work.
    This is how it looked like

    access-list block; 5 elements
    access-list block line 1 deny tcp any 216.178.32.0 255.255.240.0 (hitcnt=0)
    access-list block line 2 deny tcp any 69.63.176.0 255.255.240.0 (hitcnt=0)
    access-list block line 3 permit udp any any (hitcnt=5)
    access-list block line 4 permit tcp any any (hitcnt=40)
    access-list block line 5 permit icmp any any (hitcnt=0)

    ReplyDelete
  9. Techie #2December 2, 2012 at 6:24 PM

    Sorry - here it appears they may have added new ip addresses since this article was posted :)

    66.220.144.0 - 66.220.159.255
    69.63.176.0 - 69.63.191.255
    69.171.224.0 - 69.171.255.255
    204.15.20.0 - 204.15.23.255

    ReplyDelete
    Replies
    1. Techie #2December 2, 2012 at 6:30 PM

      Updated the article to include all of facebook's ip ranges.

      Delete

Subscribe to: Post Comments (Atom)