How to block IM,P2P applications, Google earth,multimedia contents from PIX 525 ver 7.0(6)

Posted on 2006-11-17
Last Modified: 2013-11-16
Hi Experts

I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .
Question by:alkhaleej
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 17970960
well I know this stafi, i need know any access-list or other things
LVL 34

Accepted Solution

PsiCop earned 168 total points
ID: 17971671
stafi's given you somewhere to start, but I suggest you keep this truism about the Internet in mind as you make your plans: The Internet views censorship as a fault, and routes around it.
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 17973472
P2P software is able to by-pass websense and blue coat, as well as most firewall. Take the white-list approach, block all except what you know you want to allow your users to access. But it's often better to use a softer touch, monitoring users and having them repremanded, pay docked etc... HR should be informed of the violation, and HR and or the person's manager should serve the warning and or punishment. If you do not have acceptable use and other such policies in place pleas have a look at this page, they are very good policies and users should have a place to find them after they have read/signed them:

If you take away admin rights from users, they can't install software like P2P's, but if they are smart, they know they don't have to be installed, but just on a floppy, cd or USB drive. 99% of users don't know that though.
We monitor our users with Snort to detect P2P, and have custom sig's for sites we don't want users to use. Snort sends an email immeditately to the IT department as well as HR. Users have gotten quite cleverat avoiding detection because they banded together so that they could try different techniques and not get their pay docked. Each person would have their first offense, which lead to a warning, and they'd designate the next person to go and try what they thought might work. I even answered their question here of EE that helped them understand how they were blocked and what they could do. They didn't communicate via the network or phone, they would meet out a lunch to see if they could do this or that. I found out how commited they were to by-passing the monitoring and restrictions through a friend, a waiter at a resturant they meet at, he overheard them cursing me basically and saw the laptop bag with our company logo and gave me call. We then threw Ntop on the network to measure thier bandwidth broken down by protocol, and found that they were Terminal Servicing to their home machines or using GoToMyPc type services to remote control other PC's, and then simply copy the files from those remote PC's to their desktops, more specifically thier USB drives.
We had our users blocked with websense, forced through a proxy(websense), Snort-IDS, no admin rights and Cacti BW monitoring. Once we put Ntop in place, we found all the RDP traffic(moved to port 443), matched those ip's to the ip's they signed in the VPN with, and we fired 2 out of the 6 conspirators.

We tried to block IM's at work too, but users kept finding sites like, AIM Express, Meebo, IloveIM, JWchat the list goes on and on... Users are aware finally that we can log just about everysite they visit, and we do log every IP they visit. One user created a tunnel to his home machine, but we created a snort rule to detect unapproved encrypted tunnels that are not on port 443. Again dont' forget those policies! (win32 port here:

Expert Comment

ID: 17976518
I think Rich's post is rather thorough. (and quite a good story!)

Maybe I'm a little young in corporate IT, but I do think it's tougher to "block everything" than to build a rapport with your employees through good communication and clear policy.  As Rich mentioned, there are lots of ways to get around whatever barriers you put in place, so it's best to create a usable path of least resistance.

With monitoring tools such as Snort and Ntop, you'll eventually be able to identify nearly everything your users are doing... if you have the time.  Restricting outbound connections except through a proxy is really the easiest way to secure a network from P2P activity.  The Cisco document linked first basically outlines restricting *some* outbound connections that are likely to be P2P traffic.

Though I haven't had to mess with this in a production environment myself, you could probably implement a reasonable number of restrictions by just using a (free) Squid proxy and its ACLs (  Commercial software will probably make this part a lot easier to set up though.

It's a tough call.  I know I work more hours than are required of me, and if I'm at the office late I'm glad I have the ability to tune into an Internet radio station from time to time or sign onto public messaging systems through a *monitored proxy*.  (As for P2P apps, I'm glad there is blocking in place -- that could be a liability otherwise.)  Just as fortunately, my company provides easy to use internal communication tools that are secure, so its employees are less inclined to resort to public (insecure) channels.  I would make sure your employees know why you take the security measures you need to take, and let them know how they can help alleviate the bandwidth problem.

Good luck!

Expert Comment

ID: 17990390
For alot these things you can create hash rule (I'm assuming that you are in a windows environment) that will stop the program from ever executing.  If you're not sure how to create a hash rule just use the help menus on your domain controller.  The only thing you'll need are the executables of the programs you want to block.    You could also do a software restriction policy, but the hash rule will be more difficult to circumvent.
LVL 38

Expert Comment

by:Rich Rumble
ID: 17990803
Renaming an exe can get around a software restriction policy, and adding 1 character to the beginning and end of file can "defeat" a hash rule. They are also most likely admins and can do other things to thwart GP's
And even if they aren't admins, there are theses:
But you should do all you can, and Hash and software restricrtion policies are a good place to start against casual users.

Assisted Solution

nhon earned 166 total points
ID: 18000796
The first thing you have to know what port is run P2P, msg, proxy, ... You can block port if you know or you block range IP, but you cannot block at application layer (example Mutimedia session). The good job is block all port and only open some port (80,25,443,110)

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question