Solved

How to block IM,P2P applications, Google earth,multimedia contents from PIX 525 ver 7.0(6)

Posted on 2006-11-17
11
6,341 Views
Last Modified: 2013-11-16
Hi Experts

I am really worried about the bandwidht usage by p2p applications, I need to block all P2P applications, messengers, youtube, metacafe, proxy softwares from my pix 525 ver 7.06. I need the way to block them, either by access-list or by any other available means. We don't have websense or blue coat to block these things, I know i cannot achieve 100 % but to certain extent i want block these applications, also is there any way to block certain web sites. Please let me know .
0
Comment
Question by:alkhaleej
11 Comments
 
LVL 10

Expert Comment

by:stafi
ID: 17970806
0
 

Author Comment

by:alkhaleej
ID: 17970960
well I know this stafi, i need know any access-list or other things
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 168 total points
ID: 17971671
stafi's given you somewhere to start, but I suggest you keep this truism about the Internet in mind as you make your plans: The Internet views censorship as a fault, and routes around it.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 17973472
P2P software is able to by-pass websense and blue coat, as well as most firewall. Take the white-list approach, block all except what you know you want to allow your users to access. But it's often better to use a softer touch, monitoring users and having them repremanded, pay docked etc... HR should be informed of the violation, and HR and or the person's manager should serve the warning and or punishment. If you do not have acceptable use and other such policies in place pleas have a look at this page, they are very good policies and users should have a place to find them after they have read/signed them: http://www.sans.org/resources/policies/

If you take away admin rights from users, they can't install software like P2P's, but if they are smart, they know they don't have to be installed, but just on a floppy, cd or USB drive. 99% of users don't know that though.
We monitor our users with Snort to detect P2P, and have custom sig's for sites we don't want users to use. Snort sends an email immeditately to the IT department as well as HR. Users have gotten quite cleverat avoiding detection because they banded together so that they could try different techniques and not get their pay docked. Each person would have their first offense, which lead to a warning, and they'd designate the next person to go and try what they thought might work. I even answered their question here of EE that helped them understand how they were blocked and what they could do. They didn't communicate via the network or phone, they would meet out a lunch to see if they could do this or that. I found out how commited they were to by-passing the monitoring and restrictions through a friend, a waiter at a resturant they meet at, he overheard them cursing me basically and saw the laptop bag with our company logo and gave me call. We then threw Ntop on the network to measure thier bandwidth broken down by protocol, and found that they were Terminal Servicing to their home machines or using GoToMyPc type services to remote control other PC's, and then simply copy the files from those remote PC's to their desktops, more specifically thier USB drives.
We had our users blocked with websense, forced through a proxy(websense), Snort-IDS, no admin rights and Cacti BW monitoring. Once we put Ntop in place, we found all the RDP traffic(moved to port 443), matched those ip's to the ip's they signed in the VPN with, and we fired 2 out of the 6 conspirators.

We tried to block IM's at work too, but users kept finding sites like, AIM Express, Meebo, IloveIM, JWchat the list goes on and on... Users are aware finally that we can log just about everysite they visit, and we do log every IP they visit. One user created a tunnel to his home machine, but we created a snort rule to detect unapproved encrypted tunnels that are not on port 443. Again dont' forget those policies!
http://www.snort.org/
http://www.ntop.org/overview.html (win32 port here: http://www.openxtra.co.uk/freestuff/ntop-xtra.php)
http://cacti.net/
-rich
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 6

Expert Comment

by:LindyMoff
ID: 17976518
I think Rich's post is rather thorough. (and quite a good story!)

Maybe I'm a little young in corporate IT, but I do think it's tougher to "block everything" than to build a rapport with your employees through good communication and clear policy.  As Rich mentioned, there are lots of ways to get around whatever barriers you put in place, so it's best to create a usable path of least resistance.

With monitoring tools such as Snort and Ntop, you'll eventually be able to identify nearly everything your users are doing... if you have the time.  Restricting outbound connections except through a proxy is really the easiest way to secure a network from P2P activity.  The Cisco document linked first basically outlines restricting *some* outbound connections that are likely to be P2P traffic.

Though I haven't had to mess with this in a production environment myself, you could probably implement a reasonable number of restrictions by just using a (free) Squid proxy and its ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).  Commercial software will probably make this part a lot easier to set up though.

It's a tough call.  I know I work more hours than are required of me, and if I'm at the office late I'm glad I have the ability to tune into an Internet radio station from time to time or sign onto public messaging systems through a *monitored proxy*.  (As for P2P apps, I'm glad there is blocking in place -- that could be a liability otherwise.)  Just as fortunately, my company provides easy to use internal communication tools that are secure, so its employees are less inclined to resort to public (insecure) channels.  I would make sure your employees know why you take the security measures you need to take, and let them know how they can help alleviate the bandwidth problem.

Good luck!
0
 
LVL 1

Expert Comment

by:pncorp
ID: 17990390
For alot these things you can create hash rule (I'm assuming that you are in a windows environment) that will stop the program from ever executing.  If you're not sure how to create a hash rule just use the help menus on your domain controller.  The only thing you'll need are the executables of the programs you want to block.    You could also do a software restriction policy, but the hash rule will be more difficult to circumvent.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17990803
Renaming an exe can get around a software restriction policy, and adding 1 character to the beginning and end of file can "defeat" a hash rule. They are also most likely admins and can do other things to thwart GP's
And even if they aren't admins, there are theses:http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx
http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx
 http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx
But you should do all you can, and Hash and software restricrtion policies are a good place to start against casual users.
-rich
0
 

Assisted Solution

by:nhon
nhon earned 166 total points
ID: 18000796
The first thing you have to know what port is run P2P, msg, proxy, ... You can block port if you know or you block range IP, but you cannot block at application layer (example Mutimedia session). The good job is block all port and only open some port (80,25,443,110)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now