Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2768
  • Last Modified:

Block Streaming Media with PIX or Cisco Access List

Greetings fellow Experts:

I am running a military network with limited internet bandwidth.  One of the main activities which is wasting available bandwidth is the use of streaming media such as RealAudio, etc.  Does anyone know how to block access to streaming audio by use of a Cisco Pix Firewall or a Cisco Access-List?  Similarly, is it possible to block or limit access to services like Napster or its latest hybrids?  Any information would be greatly appreciated.

Regards,

Herb
0
schreib
Asked:
schreib
1 Solution
 
geoffrynCommented:
You have to know what specific ports to deny on an application by application basis.  The following shows the ports that are required for RA.  You would need similar info for each application.

http://service.real.com/firewall/adminfw.html
0
 
schreibAuthor Commented:
I believe that the problem is that RealAudio and other streaming media purposefully tries to circumvent firewalls (in order to increase potential viewership).  In doing so, they use other common ports such as 80 making blocking much more difficult.  It may require stateful packet inspection or some filtering at a layer above the network layer to succeed.

Herb
0
 
arvi_samCommented:
Hi,
Can you elaborate on your arrangement a bit more? Are you using PIX? In that case, do you have a DMZ or simply 2 zones on your PIX? Do you have any conduits / acls on the PIX at present?

Also you want to prevent RealAudio content from being accessed from within or do you wish to prevent RealAudio being served out? Lastly are you talking about just streaming content (using the RTSP protocol) or also about RA / RM files which can be fetched over HTTP?

Please provide more details then maybe we can work out something.

Regards,

Arvind Shyamsundar
Brainbench MVP for Internet Security.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
schreibAuthor Commented:
Hi Arvi:

We have a simple configuration with an inside and outside (connected to internet) network.  We need to prevent users on the inside from utilizing streaming media from the internet for bandwidth conservation reasons.  The challenge is that we are talking about streaming content that often / usually tunnels by way of http (port 80).

Herb
0
 
TooKoolKrisCommented:
The problem with programs such as Napster is that it allows the user to define what port to communicate on. Napster by default uses TCP port 6969, however it can be changed to any other by choice.

As it has been mentioned streaming media can make use of port 80 which you would need to keep open for Internet usage. However these streaming connections do keep a consistent TCP connection open and if you query your router you can find the IP's of the streaming servers and then block those connections by IP.

Use the command "show IP cache flow" or "sh ip ca fl" on your Cisco router and you will see a connection list by IP of what machines on your side is making connections and to what IP's it is talking to. You should be able to recognize streamers by their high packet amounts because it's a constant connection. You then do a NSLOOKUP on that IP and you will hopefuly be able to determine that the user is streaming Audio. I love it when I catch them red-handed that way, the looks on their faces are priceless.

You need the backing of Management to enforce a policy that prohibits this type of Internet usage. Once you get this and catch a couple of people so they can be made an example of this problems slows greatly ;)

Trying to block all of the ports is going to be a useless cause. You need to either close all outbound ports over 1024 and then figure out the ones needed for business to open back up or get management involved with policing the people on the network.

Hope this helps,

TooKoolKris
MCSE+I, CCNA, A+
0
 
schreibAuthor Commented:
Thanks Kris!

That is the direction I will pursue.

Herb
0
 
yachtingpromotionsCommented:
Thanks Kris, worked like a charm, wish I could post the pictures of their faces lol.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now