[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


How to block IM,P2P applications, Google earth,multimedia contents from PIX 525 ver 7.0(6)

Posted on 2006-11-17
Medium Priority
Last Modified: 2013-11-16
Hi Experts

I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .
Question by:alkhaleej
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 17970960
well I know this stafi, i need know any access-list or other things
LVL 34

Accepted Solution

PsiCop earned 672 total points
ID: 17971671
stafi's given you somewhere to start, but I suggest you keep this truism about the Internet in mind as you make your plans: The Internet views censorship as a fault, and routes around it.
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 664 total points
ID: 17973472
P2P software is able to by-pass websense and blue coat, as well as most firewall. Take the white-list approach, block all except what you know you want to allow your users to access. But it's often better to use a softer touch, monitoring users and having them repremanded, pay docked etc... HR should be informed of the violation, and HR and or the person's manager should serve the warning and or punishment. If you do not have acceptable use and other such policies in place pleas have a look at this page, they are very good policies and users should have a place to find them after they have read/signed them: http://www.sans.org/resources/policies/

If you take away admin rights from users, they can't install software like P2P's, but if they are smart, they know they don't have to be installed, but just on a floppy, cd or USB drive. 99% of users don't know that though.
We monitor our users with Snort to detect P2P, and have custom sig's for sites we don't want users to use. Snort sends an email immeditately to the IT department as well as HR. Users have gotten quite cleverat avoiding detection because they banded together so that they could try different techniques and not get their pay docked. Each person would have their first offense, which lead to a warning, and they'd designate the next person to go and try what they thought might work. I even answered their question here of EE that helped them understand how they were blocked and what they could do. They didn't communicate via the network or phone, they would meet out a lunch to see if they could do this or that. I found out how commited they were to by-passing the monitoring and restrictions through a friend, a waiter at a resturant they meet at, he overheard them cursing me basically and saw the laptop bag with our company logo and gave me call. We then threw Ntop on the network to measure thier bandwidth broken down by protocol, and found that they were Terminal Servicing to their home machines or using GoToMyPc type services to remote control other PC's, and then simply copy the files from those remote PC's to their desktops, more specifically thier USB drives.
We had our users blocked with websense, forced through a proxy(websense), Snort-IDS, no admin rights and Cacti BW monitoring. Once we put Ntop in place, we found all the RDP traffic(moved to port 443), matched those ip's to the ip's they signed in the VPN with, and we fired 2 out of the 6 conspirators.

We tried to block IM's at work too, but users kept finding sites like, AIM Express, Meebo, IloveIM, JWchat the list goes on and on... Users are aware finally that we can log just about everysite they visit, and we do log every IP they visit. One user created a tunnel to his home machine, but we created a snort rule to detect unapproved encrypted tunnels that are not on port 443. Again dont' forget those policies!
http://www.ntop.org/overview.html (win32 port here: http://www.openxtra.co.uk/freestuff/ntop-xtra.php)

Expert Comment

ID: 17976518
I think Rich's post is rather thorough. (and quite a good story!)

Maybe I'm a little young in corporate IT, but I do think it's tougher to "block everything" than to build a rapport with your employees through good communication and clear policy.  As Rich mentioned, there are lots of ways to get around whatever barriers you put in place, so it's best to create a usable path of least resistance.

With monitoring tools such as Snort and Ntop, you'll eventually be able to identify nearly everything your users are doing... if you have the time.  Restricting outbound connections except through a proxy is really the easiest way to secure a network from P2P activity.  The Cisco document linked first basically outlines restricting *some* outbound connections that are likely to be P2P traffic.

Though I haven't had to mess with this in a production environment myself, you could probably implement a reasonable number of restrictions by just using a (free) Squid proxy and its ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).  Commercial software will probably make this part a lot easier to set up though.

It's a tough call.  I know I work more hours than are required of me, and if I'm at the office late I'm glad I have the ability to tune into an Internet radio station from time to time or sign onto public messaging systems through a *monitored proxy*.  (As for P2P apps, I'm glad there is blocking in place -- that could be a liability otherwise.)  Just as fortunately, my company provides easy to use internal communication tools that are secure, so its employees are less inclined to resort to public (insecure) channels.  I would make sure your employees know why you take the security measures you need to take, and let them know how they can help alleviate the bandwidth problem.

Good luck!

Expert Comment

ID: 17990390
For alot these things you can create hash rule (I'm assuming that you are in a windows environment) that will stop the program from ever executing.  If you're not sure how to create a hash rule just use the help menus on your domain controller.  The only thing you'll need are the executables of the programs you want to block.    You could also do a software restriction policy, but the hash rule will be more difficult to circumvent.
LVL 38

Expert Comment

by:Rich Rumble
ID: 17990803
Renaming an exe can get around a software restriction policy, and adding 1 character to the beginning and end of file can "defeat" a hash rule. They are also most likely admins and can do other things to thwart GP's
And even if they aren't admins, there are theses:http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx
But you should do all you can, and Hash and software restricrtion policies are a good place to start against casual users.

Assisted Solution

nhon earned 664 total points
ID: 18000796
The first thing you have to know what port is run P2P, msg, proxy, ... You can block port if you know or you block range IP, but you cannot block at application layer (example Mutimedia session). The good job is block all port and only open some port (80,25,443,110)

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
What we learned in Webroot's webinar on multi-vector protection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question