alkhaleej
asked on
How to block IM,P2P applications, Google earth,multimedia contents from PIX 525 ver 7.0(6)
Hi Experts
I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .
I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .
ASKER
well I know this stafi, i need know any access-list or other things
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think Rich's post is rather thorough. (and quite a good story!)
Maybe I'm a little young in corporate IT, but I do think it's tougher to "block everything" than to build a rapport with your employees through good communication and clear policy. As Rich mentioned, there are lots of ways to get around whatever barriers you put in place, so it's best to create a usable path of least resistance.
With monitoring tools such as Snort and Ntop, you'll eventually be able to identify nearly everything your users are doing... if you have the time. Restricting outbound connections except through a proxy is really the easiest way to secure a network from P2P activity. The Cisco document linked first basically outlines restricting *some* outbound connections that are likely to be P2P traffic.
Though I haven't had to mess with this in a production environment myself, you could probably implement a reasonable number of restrictions by just using a (free) Squid proxy and its ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl). Commercial software will probably make this part a lot easier to set up though.
It's a tough call. I know I work more hours than are required of me, and if I'm at the office late I'm glad I have the ability to tune into an Internet radio station from time to time or sign onto public messaging systems through a *monitored proxy*. (As for P2P apps, I'm glad there is blocking in place -- that could be a liability otherwise.) Just as fortunately, my company provides easy to use internal communication tools that are secure, so its employees are less inclined to resort to public (insecure) channels. I would make sure your employees know why you take the security measures you need to take, and let them know how they can help alleviate the bandwidth problem.
Good luck!
Maybe I'm a little young in corporate IT, but I do think it's tougher to "block everything" than to build a rapport with your employees through good communication and clear policy. As Rich mentioned, there are lots of ways to get around whatever barriers you put in place, so it's best to create a usable path of least resistance.
With monitoring tools such as Snort and Ntop, you'll eventually be able to identify nearly everything your users are doing... if you have the time. Restricting outbound connections except through a proxy is really the easiest way to secure a network from P2P activity. The Cisco document linked first basically outlines restricting *some* outbound connections that are likely to be P2P traffic.
Though I haven't had to mess with this in a production environment myself, you could probably implement a reasonable number of restrictions by just using a (free) Squid proxy and its ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl). Commercial software will probably make this part a lot easier to set up though.
It's a tough call. I know I work more hours than are required of me, and if I'm at the office late I'm glad I have the ability to tune into an Internet radio station from time to time or sign onto public messaging systems through a *monitored proxy*. (As for P2P apps, I'm glad there is blocking in place -- that could be a liability otherwise.) Just as fortunately, my company provides easy to use internal communication tools that are secure, so its employees are less inclined to resort to public (insecure) channels. I would make sure your employees know why you take the security measures you need to take, and let them know how they can help alleviate the bandwidth problem.
Good luck!
For alot these things you can create hash rule (I'm assuming that you are in a windows environment) that will stop the program from ever executing. If you're not sure how to create a hash rule just use the help menus on your domain controller. The only thing you'll need are the executables of the programs you want to block. You could also do a software restriction policy, but the hash rule will be more difficult to circumvent.
Renaming an exe can get around a software restriction policy, and adding 1 character to the beginning and end of file can "defeat" a hash rule. They are also most likely admins and can do other things to thwart GP's
And even if they aren't admins, there are theses:http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx
http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx
http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx
But you should do all you can, and Hash and software restricrtion policies are a good place to start against casual users.
-rich
And even if they aren't admins, there are theses:http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx
http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx
http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx
But you should do all you can, and Hash and software restricrtion policies are a good place to start against casual users.
-rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml