Solved

How to Block only outgoing traffic

Posted on 2007-11-29
8
315 Views
Last Modified: 2013-11-16
I stream webcams out to the internet.  I also record them for security purposes.  How would I stop only the outgoing traffic at a moments notice.  I want to still record the incoming stream on the server but stop the outgoing stream so the public cannot see the stream.  The catch is the person that will be inacting this action will not have domain admin priveleges.  In fact they will be....gulp...a receptionist!!!!!  I am open to just about any option, software or hardware, as long as it doesn't cost a lot of money.

I use a custom program to record the video streams that is not very customizable.  I also have a Watchguard Firebox x700.
0
Comment
Question by:pghzooit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 18

Expert Comment

by:Johnjces
ID: 20374020
I need to understand this correctly...

Your (IP) camera streams video directly to the internet via the firebox or your IP DVR streams the data or because these IP cameras sit on your LAN the receptionist has the software that will capture and allow her to view these cameras?

Is this receptionist on your LAN, outside the LAN?

I am guessing she is outside this LAN and since this data is available through software, she has a piece of software that will allow her to connect to your system through the firebox?

In any case, your firebox should have a web interface and you can deny any incoming port, since the receptionist will most likely be coming from the outside in via her software. So find out what TCP ports your cameras are using. Deny or stop any port forwarding of that port to your camera(s) or DVR system.

John
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 20374028
In blocking outgoing traffic you can do the same. Block or drop any TCP packet with that specific port being used by your camera system through the firebox.

Just have to find out what ports they use.

John
0
 
LVL 4

Author Comment

by:pghzooit
ID: 20374749
The cameras are actually coax converted to IP but are essentially IP with a port # for all we're concerned.  The cams come into the server with the software on it and then out through the firewall on the same port. (ex. Cam IP=192.168.85.100:3001, cam then NAT on firewall 192.168.85.100:3001->External IP address.)

The receptionist is on the same network and does not have the software on their computer.  This is a very processor intensive program and putting the software on their computer is not an option.

What I do not want to do is give the receptionist access to the entire firewall, or web interface.  I only want them to have access to shut this one port off if the firewall is the way we choose to go.

What I prefer is a script that they can double-click on but I am not even sure if that is possible.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:Johnjces
ID: 20375205
That's a tall order to do a script and I doubt seriously that can be done without somesort of access to the firewall.

Well, from here I cannot help you other than, unplug the cable! :)

John
0
 
LVL 4

Author Comment

by:pghzooit
ID: 20375471
Unplugging the cable won't even work since that will stop all internet traffic throughout the entire organization.
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 20375507
I was just kidding! :)

0
 
LVL 4

Author Comment

by:pghzooit
ID: 20384406
Can IPsec  Or Proxiesfix this?
All I really need to do is block all trafic to the gateway right?.....or what if we had some sort of proxyserver that we can toggle internet trafic on or off. I really no nothing about IPsec and Proxies but its a shot in the dark anyway trying to get this done.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 20397940
Let's see if I understood things right:

You have a web cam to which you want to deny inbound access [from external or optional network to the trusted network] to non-domain users

If this is what you wish to do and are sure about the ports which would be used for communication then here is what needs to be done [steps I am listing are generic; depending on version of WG management software which you have the steps might differ but the actual process is same]:

1. Configure Firebox to authenticate through Active Directory (AD); if you have ver 8.3.1 of software or higher you can also use LDAP
In Policy Manager of FW go to Setup->Authentication Servers; configure the AD settings here.

2. Add a group/user with auth-server as AD configured above. Setup->Authentication Users. This user/group is the one which you want to get access.

3. From Policy Manager, double-click WatchGuard Authentication policy icon. Click the Policy tab.
    From the WG-Auth connections are drop-down list, select Allowed. Below the From box, click Add.          
    Select Any from the list and click Add. Click OK.
    Below the To box, click Add. Select Firebox from the list and click Add. Click OK.

4. Create a custom policy for the ports used by the application.
Eg., per your post earlier, port is 3001; Click + on toolbar in policy manager and create custom policy with TCP 3001 as port/protocol. Add the service. Configure the service as below:
Inbound "Enabled and Allowed"; from->Add->add user: group/user created in step 2; to: NAT settings to web cam.

Now your users when trying to connect to web cam would need to open authentication applet; get authenticated and only then gain access to web cam. To authenticate the users need to go to:
https://IP address of Firebox external interface:4100/

Please note in this case all users would need to first get authenticated through the applet and then only gain access to web cam; also they would need to keep the applet open at all times after authentication; if they close applet for any reasons they would need to authenticate again.
As non-domain users would not have username/password they would not be able to gain access.

If the scenario is different from what I used, please let me know and I would provide solution specific to scenario.

Please note if the case is that you wish to prevent and directly connected user on the internal ethernet switch to any other host on the same switch through the firewall then this would not be possible. Wg can only intercept and prevent traffic from flowing if the traffic flows from one interface to another.
If this is the case then you would be better off using personal firewall on the said system.

Please let me know if you need more details.

Thank you.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question