Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Importing a HOSTS file as static routes

Status
Not open for further replies.
denathor

denathor

IS-IT--Management
Aug 2, 2004
5
0
0
US
Will this cause too much CPU utilization on my PIX 515e if I take my HOSTS file and just make 15000 static routes to nowhere?
I would much rather update one firewall than hundreds of PC's :)
ie
ip host badsite.com 127.0.0.1

Simple enough to make script to read the domains from hosts file and add the IOS command structure. Just worried I will bring the device to it knees
 
Sort by date Sort by votes
What are you trying to accomplish? Why not just have an internal dns server and create the bad site domains on it and point them to nowhere.

The Pix doesn't provide dns resolution.
 
Upvote 0 Downvote
Too easy for a user to simply change their DNS server. Trying to block malware and do some basic filtering without having to install, maintain, and pay for a websense server.
There free services that get updated daily with new hosts lists to block all known unwanted sites.
I have already a PHP script that will convert the HOSTS file in to Cisco static routes and SSH them over to the firewall. Then I just keep my own database of what's on the firewall vs what's new in the most recent list and only upload the changes each day.
Now I have one source blocking all external threats instead of going around and updating 100 PC's HOSTS file, and it's automated script not manual work.
 
Upvote 0 Downvote
Its not easy for them to change it if you block dns requests outbound except from your server. I would look at OpenDns.
 
Upvote 0 Downvote
Blocking DNS is good, not sure why I hadn't thought of that :)
We don't restrict our users so I never think to restrict basics outbound.
So many legit sites now have bad ads or have been compromised and contain web bugs and such I want to minimize my clean up when they visit these places.
I also do want to block things like meebo which is not malware but don't want it used and they have now started embedding it in web pages and piggy backing the web ports so the only way to block it is black hole their servers.
Thank you again
 
Upvote 0 Downvote
I just read this and I thought along the same lines. Block DNS request from the users and not from the internal DNS server. Force the users to use the DNS internal services.

Beware - So long as your DNS server isn't the only one on site. Make sure you have a backup or several. If you force the users to use your services, they need to be available.

Secondly, 15K routes???? Isn't that kinda excessive??? for a Pix 515e?? I would not try it. Talk about memory upgrades, possible high CPU Utilizations and management. Pix 525 and 535 are fairly cheap if you needed to upgrade if that was the route you wanted to take. I would still try to keep the pix as simple as possible. This way, management isn't a task and trying to figure CPU issues isn't much of an issue.

Have a great day..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
70
hairlessupportmonkey
hairlessupportmonkey
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
98
Sparrow4
Sparrow4
intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
89
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top