Solved

Block Streaming Media with PIX or Cisco Access List

Posted on 2002-05-02
7
2,749 Views
Last Modified: 2013-11-16
Greetings fellow Experts:

I am running a military network with limited internet bandwidth.  One of the main activities which is wasting available bandwidth is the use of streaming media such as RealAudio, etc.  Does anyone know how to block access to streaming audio by use of a Cisco Pix Firewall or a Cisco Access-List?  Similarly, is it possible to block or limit access to services like Napster or its latest hybrids?  Any information would be greatly appreciated.

Regards,

Herb
0
Comment
Question by:schreib
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6987054
You have to know what specific ports to deny on an application by application basis.  The following shows the ports that are required for RA.  You would need similar info for each application.

http://service.real.com/firewall/adminfw.html
0
 

Author Comment

by:schreib
ID: 6987809
I believe that the problem is that RealAudio and other streaming media purposefully tries to circumvent firewalls (in order to increase potential viewership).  In doing so, they use other common ports such as 80 making blocking much more difficult.  It may require stateful packet inspection or some filtering at a layer above the network layer to succeed.

Herb
0
 

Expert Comment

by:arvi_sam
ID: 7004624
Hi,
Can you elaborate on your arrangement a bit more? Are you using PIX? In that case, do you have a DMZ or simply 2 zones on your PIX? Do you have any conduits / acls on the PIX at present?

Also you want to prevent RealAudio content from being accessed from within or do you wish to prevent RealAudio being served out? Lastly are you talking about just streaming content (using the RTSP protocol) or also about RA / RM files which can be fetched over HTTP?

Please provide more details then maybe we can work out something.

Regards,

Arvind Shyamsundar
Brainbench MVP for Internet Security.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:schreib
ID: 7005089
Hi Arvi:

We have a simple configuration with an inside and outside (connected to internet) network.  We need to prevent users on the inside from utilizing streaming media from the internet for bandwidth conservation reasons.  The challenge is that we are talking about streaming content that often / usually tunnels by way of http (port 80).

Herb
0
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 200 total points
ID: 7014575
The problem with programs such as Napster is that it allows the user to define what port to communicate on. Napster by default uses TCP port 6969, however it can be changed to any other by choice.

As it has been mentioned streaming media can make use of port 80 which you would need to keep open for Internet usage. However these streaming connections do keep a consistent TCP connection open and if you query your router you can find the IP's of the streaming servers and then block those connections by IP.

Use the command "show IP cache flow" or "sh ip ca fl" on your Cisco router and you will see a connection list by IP of what machines on your side is making connections and to what IP's it is talking to. You should be able to recognize streamers by their high packet amounts because it's a constant connection. You then do a NSLOOKUP on that IP and you will hopefuly be able to determine that the user is streaming Audio. I love it when I catch them red-handed that way, the looks on their faces are priceless.

You need the backing of Management to enforce a policy that prohibits this type of Internet usage. Once you get this and catch a couple of people so they can be made an example of this problems slows greatly ;)

Trying to block all of the ports is going to be a useless cause. You need to either close all outbound ports over 1024 and then figure out the ones needed for business to open back up or get management involved with policing the people on the network.

Hope this helps,

TooKoolKris
MCSE+I, CCNA, A+
0
 

Author Comment

by:schreib
ID: 7015500
Thanks Kris!

That is the direction I will pursue.

Herb
0
 

Expert Comment

by:yachtingpromotions
ID: 30035113
Thanks Kris, worked like a charm, wish I could post the pictures of their faces lol.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now