Block Streaming Media with PIX or Cisco Access List

Greetings fellow Experts:

I am running a military network with limited internet bandwidth.  One of the main activities which is wasting available bandwidth is the use of streaming media such as RealAudio, etc.  Does anyone know how to block access to streaming audio by use of a Cisco Pix Firewall or a Cisco Access-List?  Similarly, is it possible to block or limit access to services like Napster or its latest hybrids?  Any information would be greatly appreciated.

Regards,

Herb
schreibAsked:
Who is Participating?
 
TooKoolKrisConnect With a Mentor Commented:
The problem with programs such as Napster is that it allows the user to define what port to communicate on. Napster by default uses TCP port 6969, however it can be changed to any other by choice.

As it has been mentioned streaming media can make use of port 80 which you would need to keep open for Internet usage. However these streaming connections do keep a consistent TCP connection open and if you query your router you can find the IP's of the streaming servers and then block those connections by IP.

Use the command "show IP cache flow" or "sh ip ca fl" on your Cisco router and you will see a connection list by IP of what machines on your side is making connections and to what IP's it is talking to. You should be able to recognize streamers by their high packet amounts because it's a constant connection. You then do a NSLOOKUP on that IP and you will hopefuly be able to determine that the user is streaming Audio. I love it when I catch them red-handed that way, the looks on their faces are priceless.

You need the backing of Management to enforce a policy that prohibits this type of Internet usage. Once you get this and catch a couple of people so they can be made an example of this problems slows greatly ;)

Trying to block all of the ports is going to be a useless cause. You need to either close all outbound ports over 1024 and then figure out the ones needed for business to open back up or get management involved with policing the people on the network.

Hope this helps,

TooKoolKris
MCSE+I, CCNA, A+
0
 
geoffrynCommented:
You have to know what specific ports to deny on an application by application basis.  The following shows the ports that are required for RA.  You would need similar info for each application.

http://service.real.com/firewall/adminfw.html
0
 
schreibAuthor Commented:
I believe that the problem is that RealAudio and other streaming media purposefully tries to circumvent firewalls (in order to increase potential viewership).  In doing so, they use other common ports such as 80 making blocking much more difficult.  It may require stateful packet inspection or some filtering at a layer above the network layer to succeed.

Herb
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
arvi_samCommented:
Hi,
Can you elaborate on your arrangement a bit more? Are you using PIX? In that case, do you have a DMZ or simply 2 zones on your PIX? Do you have any conduits / acls on the PIX at present?

Also you want to prevent RealAudio content from being accessed from within or do you wish to prevent RealAudio being served out? Lastly are you talking about just streaming content (using the RTSP protocol) or also about RA / RM files which can be fetched over HTTP?

Please provide more details then maybe we can work out something.

Regards,

Arvind Shyamsundar
Brainbench MVP for Internet Security.
0
 
schreibAuthor Commented:
Hi Arvi:

We have a simple configuration with an inside and outside (connected to internet) network.  We need to prevent users on the inside from utilizing streaming media from the internet for bandwidth conservation reasons.  The challenge is that we are talking about streaming content that often / usually tunnels by way of http (port 80).

Herb
0
 
schreibAuthor Commented:
Thanks Kris!

That is the direction I will pursue.

Herb
0
 
yachtingpromotionsCommented:
Thanks Kris, worked like a charm, wish I could post the pictures of their faces lol.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.