Solved

How to Block only outgoing traffic

Posted on 2007-11-29
8
317 Views
Last Modified: 2013-11-16
I stream webcams out to the internet.  I also record them for security purposes.  How would I stop only the outgoing traffic at a moments notice.  I want to still record the incoming stream on the server but stop the outgoing stream so the public cannot see the stream.  The catch is the person that will be inacting this action will not have domain admin priveleges.  In fact they will be....gulp...a receptionist!!!!!  I am open to just about any option, software or hardware, as long as it doesn't cost a lot of money.

I use a custom program to record the video streams that is not very customizable.  I also have a Watchguard Firebox x700.
0
Comment
Question by:pghzooit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 18

Expert Comment

by:Johnjces
ID: 20374020
I need to understand this correctly...

Your (IP) camera streams video directly to the internet via the firebox or your IP DVR streams the data or because these IP cameras sit on your LAN the receptionist has the software that will capture and allow her to view these cameras?

Is this receptionist on your LAN, outside the LAN?

I am guessing she is outside this LAN and since this data is available through software, she has a piece of software that will allow her to connect to your system through the firebox?

In any case, your firebox should have a web interface and you can deny any incoming port, since the receptionist will most likely be coming from the outside in via her software. So find out what TCP ports your cameras are using. Deny or stop any port forwarding of that port to your camera(s) or DVR system.

John
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 20374028
In blocking outgoing traffic you can do the same. Block or drop any TCP packet with that specific port being used by your camera system through the firebox.

Just have to find out what ports they use.

John
0
 
LVL 4

Author Comment

by:pghzooit
ID: 20374749
The cameras are actually coax converted to IP but are essentially IP with a port # for all we're concerned.  The cams come into the server with the software on it and then out through the firewall on the same port. (ex. Cam IP=192.168.85.100:3001, cam then NAT on firewall 192.168.85.100:3001->External IP address.)

The receptionist is on the same network and does not have the software on their computer.  This is a very processor intensive program and putting the software on their computer is not an option.

What I do not want to do is give the receptionist access to the entire firewall, or web interface.  I only want them to have access to shut this one port off if the firewall is the way we choose to go.

What I prefer is a script that they can double-click on but I am not even sure if that is possible.
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 18

Expert Comment

by:Johnjces
ID: 20375205
That's a tall order to do a script and I doubt seriously that can be done without somesort of access to the firewall.

Well, from here I cannot help you other than, unplug the cable! :)

John
0
 
LVL 4

Author Comment

by:pghzooit
ID: 20375471
Unplugging the cable won't even work since that will stop all internet traffic throughout the entire organization.
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 20375507
I was just kidding! :)

0
 
LVL 4

Author Comment

by:pghzooit
ID: 20384406
Can IPsec  Or Proxiesfix this?
All I really need to do is block all trafic to the gateway right?.....or what if we had some sort of proxyserver that we can toggle internet trafic on or off. I really no nothing about IPsec and Proxies but its a shot in the dark anyway trying to get this done.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 20397940
Let's see if I understood things right:

You have a web cam to which you want to deny inbound access [from external or optional network to the trusted network] to non-domain users

If this is what you wish to do and are sure about the ports which would be used for communication then here is what needs to be done [steps I am listing are generic; depending on version of WG management software which you have the steps might differ but the actual process is same]:

1. Configure Firebox to authenticate through Active Directory (AD); if you have ver 8.3.1 of software or higher you can also use LDAP
In Policy Manager of FW go to Setup->Authentication Servers; configure the AD settings here.

2. Add a group/user with auth-server as AD configured above. Setup->Authentication Users. This user/group is the one which you want to get access.

3. From Policy Manager, double-click WatchGuard Authentication policy icon. Click the Policy tab.
    From the WG-Auth connections are drop-down list, select Allowed. Below the From box, click Add.          
    Select Any from the list and click Add. Click OK.
    Below the To box, click Add. Select Firebox from the list and click Add. Click OK.

4. Create a custom policy for the ports used by the application.
Eg., per your post earlier, port is 3001; Click + on toolbar in policy manager and create custom policy with TCP 3001 as port/protocol. Add the service. Configure the service as below:
Inbound "Enabled and Allowed"; from->Add->add user: group/user created in step 2; to: NAT settings to web cam.

Now your users when trying to connect to web cam would need to open authentication applet; get authenticated and only then gain access to web cam. To authenticate the users need to go to:
https://IP address of Firebox external interface:4100/

Please note in this case all users would need to first get authenticated through the applet and then only gain access to web cam; also they would need to keep the applet open at all times after authentication; if they close applet for any reasons they would need to authenticate again.
As non-domain users would not have username/password they would not be able to gain access.

If the scenario is different from what I used, please let me know and I would provide solution specific to scenario.

Please note if the case is that you wish to prevent and directly connected user on the internal ethernet switch to any other host on the same switch through the firewall then this would not be possible. Wg can only intercept and prevent traffic from flowing if the traffic flows from one interface to another.
If this is the case then you would be better off using personal firewall on the said system.

Please let me know if you need more details.

Thank you.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question