RE: [fw-wiz] stop microsoft p2p

From: Bruce Platt (Bruce@ei3.com)
Date: 03/28/03

Next message: Mark Gumennik: "Re: [fw-wiz] stop microsoft p2p"

Previous message: George J. Jahchan: "RE: [fw-wiz] installing ISA server behind PIX firewall"
Maybe in reply to: Robert E. Martin: "[fw-wiz] stop microsoft p2p"
Next in thread: Michael LaPane: "Re: [fw-wiz] stop microsoft p2p"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Bruce Platt <Bruce@ei3.com>
To: "Robert E. Martin" <rmartin@fishburne.org>, firewall-wizards@honor.icsalabs.com
Date: Fri, 28 Mar 2003 08:42:47 -0500

In addition to the other suggestions, here's one which will cost you a few
bucks (somewhat less than $500 depending on where you buy it).

Get a Netscreen 5-XP or 5-XT and run it in transparent mode. That way it is
essentially a layer 2 bridge with no IP address on either interface. You
can then configure it with policies to allow or deny any specific protocol
traffic across it. One side of it would be called "V1-untrust" in Netscreen
parlance, the other "V1-trust".

You could then set up policies as follows:

set policy id 5 from "V1-Untrust" to "V1-Trust" "Any" "Any" "nb stuff" Deny
log
set policy id 4 from "V1-Untrust" to "V1-Trust" "Any" "Any" "TFTP" Deny log

set policy id 3 from "V1-Untrust" to "V1-Trust" "Any" "Any" "TELNET" Deny
log
set policy id 1 from "V1-Untrust" to "V1-Trust" "Any" "Any" "ANY" Permit
log
set policy id 0 from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" Permit
log

Policies are applied from the top down. These would stop anything on the
"V1-Untrust side from doing any Netbios stuff like file sharing, share
browsing, etc. as well as tftp and telnet to the "V1-trust" side. All other
traffic is allowed. In this case the service "nb stuff" was custom defined
to include the ports 137-139 tcp and udp and 445 as well.

Careful attention to which machine goes into which zone and
modification/addition of above rules to suit allows this to meet your needs.

(Disclaimer: I have no financial interest in Netscreen.)

Regards

> -----Original Message-----
> From: Robert E. Martin [mailto:rmartin@fishburne.org]
> Sent: Thursday, March 27, 2003 8:42 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] stop microsoft p2p
>
>
> Anyone heard of a device or gizmo that replaces a hub or
> switch that can
> stop p2p or microsoft file sharing? scenario: two computers
> on the same
> segment connected via a hub or switch sharing files between
> themselves.
> Does not have to be music, could be data files, photos,
> copywritten data
> etc.. Can that be stopped?
> --
> Robert E Martin
> IT Manager
> Fishburne Military School
> rmartin@fishburne.org
> 540.946.7726
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Mark Gumennik: "Re: [fw-wiz] stop microsoft p2p"

Previous message: George J. Jahchan: "RE: [fw-wiz] installing ISA server behind PIX firewall"
Maybe in reply to: Robert E. Martin: "[fw-wiz] stop microsoft p2p"
Next in thread: Michael LaPane: "Re: [fw-wiz] stop microsoft p2p"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]