• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

How to Block only outgoing traffic

I stream webcams out to the internet.  I also record them for security purposes.  How would I stop only the outgoing traffic at a moments notice.  I want to still record the incoming stream on the server but stop the outgoing stream so the public cannot see the stream.  The catch is the person that will be inacting this action will not have domain admin priveleges.  In fact they will be....gulp...a receptionist!!!!!  I am open to just about any option, software or hardware, as long as it doesn't cost a lot of money.

I use a custom program to record the video streams that is not very customizable.  I also have a Watchguard Firebox x700.
0
pghzooit
Asked:
pghzooit
  • 4
  • 3
1 Solution
 
JohnjcesCommented:
I need to understand this correctly...

Your (IP) camera streams video directly to the internet via the firebox or your IP DVR streams the data or because these IP cameras sit on your LAN the receptionist has the software that will capture and allow her to view these cameras?

Is this receptionist on your LAN, outside the LAN?

I am guessing she is outside this LAN and since this data is available through software, she has a piece of software that will allow her to connect to your system through the firebox?

In any case, your firebox should have a web interface and you can deny any incoming port, since the receptionist will most likely be coming from the outside in via her software. So find out what TCP ports your cameras are using. Deny or stop any port forwarding of that port to your camera(s) or DVR system.

John
0
 
JohnjcesCommented:
In blocking outgoing traffic you can do the same. Block or drop any TCP packet with that specific port being used by your camera system through the firebox.

Just have to find out what ports they use.

John
0
 
pghzooitAuthor Commented:
The cameras are actually coax converted to IP but are essentially IP with a port # for all we're concerned.  The cams come into the server with the software on it and then out through the firewall on the same port. (ex. Cam IP=192.168.85.100:3001, cam then NAT on firewall 192.168.85.100:3001->External IP address.)

The receptionist is on the same network and does not have the software on their computer.  This is a very processor intensive program and putting the software on their computer is not an option.

What I do not want to do is give the receptionist access to the entire firewall, or web interface.  I only want them to have access to shut this one port off if the firewall is the way we choose to go.

What I prefer is a script that they can double-click on but I am not even sure if that is possible.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
JohnjcesCommented:
That's a tall order to do a script and I doubt seriously that can be done without somesort of access to the firewall.

Well, from here I cannot help you other than, unplug the cable! :)

John
0
 
pghzooitAuthor Commented:
Unplugging the cable won't even work since that will stop all internet traffic throughout the entire organization.
0
 
JohnjcesCommented:
I was just kidding! :)

0
 
pghzooitAuthor Commented:
Can IPsec  Or Proxiesfix this?
All I really need to do is block all trafic to the gateway right?.....or what if we had some sort of proxyserver that we can toggle internet trafic on or off. I really no nothing about IPsec and Proxies but its a shot in the dark anyway trying to get this done.
0
 
dpk_walCommented:
Let's see if I understood things right:

You have a web cam to which you want to deny inbound access [from external or optional network to the trusted network] to non-domain users

If this is what you wish to do and are sure about the ports which would be used for communication then here is what needs to be done [steps I am listing are generic; depending on version of WG management software which you have the steps might differ but the actual process is same]:

1. Configure Firebox to authenticate through Active Directory (AD); if you have ver 8.3.1 of software or higher you can also use LDAP
In Policy Manager of FW go to Setup->Authentication Servers; configure the AD settings here.

2. Add a group/user with auth-server as AD configured above. Setup->Authentication Users. This user/group is the one which you want to get access.

3. From Policy Manager, double-click WatchGuard Authentication policy icon. Click the Policy tab.
    From the WG-Auth connections are drop-down list, select Allowed. Below the From box, click Add.          
    Select Any from the list and click Add. Click OK.
    Below the To box, click Add. Select Firebox from the list and click Add. Click OK.

4. Create a custom policy for the ports used by the application.
Eg., per your post earlier, port is 3001; Click + on toolbar in policy manager and create custom policy with TCP 3001 as port/protocol. Add the service. Configure the service as below:
Inbound "Enabled and Allowed"; from->Add->add user: group/user created in step 2; to: NAT settings to web cam.

Now your users when trying to connect to web cam would need to open authentication applet; get authenticated and only then gain access to web cam. To authenticate the users need to go to:
https://IP address of Firebox external interface:4100/

Please note in this case all users would need to first get authenticated through the applet and then only gain access to web cam; also they would need to keep the applet open at all times after authentication; if they close applet for any reasons they would need to authenticate again.
As non-domain users would not have username/password they would not be able to gain access.

If the scenario is different from what I used, please let me know and I would provide solution specific to scenario.

Please note if the case is that you wish to prevent and directly connected user on the internal ethernet switch to any other host on the same switch through the firewall then this would not be possible. Wg can only intercept and prevent traffic from flowing if the traffic flows from one interface to another.
If this is the case then you would be better off using personal firewall on the said system.

Please let me know if you need more details.

Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now