How to block IM,P2P applications, Google earth,multimedia contents from PIX 525 ver 7.0(6)

Posted on 2006-11-17
Last Modified: 2013-11-16
Hi Experts

I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .
Question by:alkhaleej
LVL 10

Expert Comment

ID: 17970806

Author Comment

ID: 17970960
well I know this stafi, i need know any access-list or other things
LVL 34

Accepted Solution

PsiCop earned 168 total points
ID: 17971671
stafi's given you somewhere to start, but I suggest you keep this truism about the Internet in mind as you make your plans: The Internet views censorship as a fault, and routes around it.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 17973472
P2P software is able to by-pass websense and blue coat, as well as most firewall. Take the white-list approach, block all except what you know you want to allow your users to access. But it's often better to use a softer touch, monitoring users and having them repremanded, pay docked etc... HR should be informed of the violation, and HR and or the person's manager should serve the warning and or punishment. If you do not have acceptable use and other such policies in place pleas have a look at this page, they are very good policies and users should have a place to find them after they have read/signed them:

If you take away admin rights from users, they can't install software like P2P's, but if they are smart, they know they don't have to be installed, but just on a floppy, cd or USB drive. 99% of users don't know that though.
We monitor our users with Snort to detect P2P, and have custom sig's for sites we don't want users to use. Snort sends an email immeditately to the IT department as well as HR. Users have gotten quite cleverat avoiding detection because they banded together so that they could try different techniques and not get their pay docked. Each person would have their first offense, which lead to a warning, and they'd designate the next person to go and try what they thought might work. I even answered their question here of EE that helped them understand how they were blocked and what they could do. They didn't communicate via the network or phone, they would meet out a lunch to see if they could do this or that. I found out how commited they were to by-passing the monitoring and restrictions through a friend, a waiter at a resturant they meet at, he overheard them cursing me basically and saw the laptop bag with our company logo and gave me call. We then threw Ntop on the network to measure thier bandwidth broken down by protocol, and found that they were Terminal Servicing to their home machines or using GoToMyPc type services to remote control other PC's, and then simply copy the files from those remote PC's to their desktops, more specifically thier USB drives.
We had our users blocked with websense, forced through a proxy(websense), Snort-IDS, no admin rights and Cacti BW monitoring. Once we put Ntop in place, we found all the RDP traffic(moved to port 443), matched those ip's to the ip's they signed in the VPN with, and we fired 2 out of the 6 conspirators.

We tried to block IM's at work too, but users kept finding sites like, AIM Express, Meebo, IloveIM, JWchat the list goes on and on... Users are aware finally that we can log just about everysite they visit, and we do log every IP they visit. One user created a tunnel to his home machine, but we created a snort rule to detect unapproved encrypted tunnels that are not on port 443. Again dont' forget those policies! (win32 port here:

Expert Comment

ID: 17976518
I think Rich's post is rather thorough. (and quite a good story!)

Maybe I'm a little young in corporate IT, but I do think it's tougher to "block everything" than to build a rapport with your employees through good communication and clear policy.  As Rich mentioned, there are lots of ways to get around whatever barriers you put in place, so it's best to create a usable path of least resistance.

With monitoring tools such as Snort and Ntop, you'll eventually be able to identify nearly everything your users are doing... if you have the time.  Restricting outbound connections except through a proxy is really the easiest way to secure a network from P2P activity.  The Cisco document linked first basically outlines restricting *some* outbound connections that are likely to be P2P traffic.

Though I haven't had to mess with this in a production environment myself, you could probably implement a reasonable number of restrictions by just using a (free) Squid proxy and its ACLs (  Commercial software will probably make this part a lot easier to set up though.

It's a tough call.  I know I work more hours than are required of me, and if I'm at the office late I'm glad I have the ability to tune into an Internet radio station from time to time or sign onto public messaging systems through a *monitored proxy*.  (As for P2P apps, I'm glad there is blocking in place -- that could be a liability otherwise.)  Just as fortunately, my company provides easy to use internal communication tools that are secure, so its employees are less inclined to resort to public (insecure) channels.  I would make sure your employees know why you take the security measures you need to take, and let them know how they can help alleviate the bandwidth problem.

Good luck!

Expert Comment

ID: 17990390
For alot these things you can create hash rule (I'm assuming that you are in a windows environment) that will stop the program from ever executing.  If you're not sure how to create a hash rule just use the help menus on your domain controller.  The only thing you'll need are the executables of the programs you want to block.    You could also do a software restriction policy, but the hash rule will be more difficult to circumvent.
LVL 38

Expert Comment

by:Rich Rumble
ID: 17990803
Renaming an exe can get around a software restriction policy, and adding 1 character to the beginning and end of file can "defeat" a hash rule. They are also most likely admins and can do other things to thwart GP's
And even if they aren't admins, there are theses:
But you should do all you can, and Hash and software restricrtion policies are a good place to start against casual users.

Assisted Solution

nhon earned 166 total points
ID: 18000796
The first thing you have to know what port is run P2P, msg, proxy, ... You can block port if you know or you block range IP, but you cannot block at application layer (example Mutimedia session). The good job is block all port and only open some port (80,25,443,110)

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Extra security implementation for 2017 9 70
Admin account lockout 10 52
wild fly 8 startup error 2 14
EmsisoftAntiMalware is it trusted reliable 4 26
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question