How to block IM,P2P applications, Google earth,multimedia contents from PIX 525 ver 7.0(6)

Hi Experts

I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .
alkhaleejAsked:
Who is Participating?
 
PsiCopConnect With a Mentor Commented:
stafi's given you somewhere to start, but I suggest you keep this truism about the Internet in mind as you make your plans: The Internet views censorship as a fault, and routes around it.
0
 
alkhaleejAuthor Commented:
well I know this stafi, i need know any access-list or other things
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
P2P software is able to by-pass websense and blue coat, as well as most firewall. Take the white-list approach, block all except what you know you want to allow your users to access. But it's often better to use a softer touch, monitoring users and having them repremanded, pay docked etc... HR should be informed of the violation, and HR and or the person's manager should serve the warning and or punishment. If you do not have acceptable use and other such policies in place pleas have a look at this page, they are very good policies and users should have a place to find them after they have read/signed them: http://www.sans.org/resources/policies/

If you take away admin rights from users, they can't install software like P2P's, but if they are smart, they know they don't have to be installed, but just on a floppy, cd or USB drive. 99% of users don't know that though.
We monitor our users with Snort to detect P2P, and have custom sig's for sites we don't want users to use. Snort sends an email immeditately to the IT department as well as HR. Users have gotten quite cleverat avoiding detection because they banded together so that they could try different techniques and not get their pay docked. Each person would have their first offense, which lead to a warning, and they'd designate the next person to go and try what they thought might work. I even answered their question here of EE that helped them understand how they were blocked and what they could do. They didn't communicate via the network or phone, they would meet out a lunch to see if they could do this or that. I found out how commited they were to by-passing the monitoring and restrictions through a friend, a waiter at a resturant they meet at, he overheard them cursing me basically and saw the laptop bag with our company logo and gave me call. We then threw Ntop on the network to measure thier bandwidth broken down by protocol, and found that they were Terminal Servicing to their home machines or using GoToMyPc type services to remote control other PC's, and then simply copy the files from those remote PC's to their desktops, more specifically thier USB drives.
We had our users blocked with websense, forced through a proxy(websense), Snort-IDS, no admin rights and Cacti BW monitoring. Once we put Ntop in place, we found all the RDP traffic(moved to port 443), matched those ip's to the ip's they signed in the VPN with, and we fired 2 out of the 6 conspirators.

We tried to block IM's at work too, but users kept finding sites like, AIM Express, Meebo, IloveIM, JWchat the list goes on and on... Users are aware finally that we can log just about everysite they visit, and we do log every IP they visit. One user created a tunnel to his home machine, but we created a snort rule to detect unapproved encrypted tunnels that are not on port 443. Again dont' forget those policies!
http://www.snort.org/
http://www.ntop.org/overview.html (win32 port here: http://www.openxtra.co.uk/freestuff/ntop-xtra.php)
http://cacti.net/
-rich
0
 
LindyMoffCommented:
I think Rich's post is rather thorough. (and quite a good story!)

Maybe I'm a little young in corporate IT, but I do think it's tougher to "block everything" than to build a rapport with your employees through good communication and clear policy.  As Rich mentioned, there are lots of ways to get around whatever barriers you put in place, so it's best to create a usable path of least resistance.

With monitoring tools such as Snort and Ntop, you'll eventually be able to identify nearly everything your users are doing... if you have the time.  Restricting outbound connections except through a proxy is really the easiest way to secure a network from P2P activity.  The Cisco document linked first basically outlines restricting *some* outbound connections that are likely to be P2P traffic.

Though I haven't had to mess with this in a production environment myself, you could probably implement a reasonable number of restrictions by just using a (free) Squid proxy and its ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).  Commercial software will probably make this part a lot easier to set up though.

It's a tough call.  I know I work more hours than are required of me, and if I'm at the office late I'm glad I have the ability to tune into an Internet radio station from time to time or sign onto public messaging systems through a *monitored proxy*.  (As for P2P apps, I'm glad there is blocking in place -- that could be a liability otherwise.)  Just as fortunately, my company provides easy to use internal communication tools that are secure, so its employees are less inclined to resort to public (insecure) channels.  I would make sure your employees know why you take the security measures you need to take, and let them know how they can help alleviate the bandwidth problem.

Good luck!
0
 
pncorpCommented:
For alot these things you can create hash rule (I'm assuming that you are in a windows environment) that will stop the program from ever executing.  If you're not sure how to create a hash rule just use the help menus on your domain controller.  The only thing you'll need are the executables of the programs you want to block.    You could also do a software restriction policy, but the hash rule will be more difficult to circumvent.
0
 
Rich RumbleSecurity SamuraiCommented:
Renaming an exe can get around a software restriction policy, and adding 1 character to the beginning and end of file can "defeat" a hash rule. They are also most likely admins and can do other things to thwart GP's
And even if they aren't admins, there are theses:http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx
http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx
 http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx
But you should do all you can, and Hash and software restricrtion policies are a good place to start against casual users.
-rich
0
 
nhonConnect With a Mentor Commented:
The first thing you have to know what port is run P2P, msg, proxy, ... You can block port if you know or you block range IP, but you cannot block at application layer (example Mutimedia session). The good job is block all port and only open some port (80,25,443,110)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.