[fw-wiz] Re: Blocking Kazaa
From: Boni Bruno (boni_at_dsw.net)
Date: 06/27/03
- Previous message: Daniel Howe: "RE: [fw-wiz] Blocking Kazaa"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Fri, 27 Jun 2003 09:59:10 -0700
Another alternative to proxies are transparent in-line IDS/IDP products.
I've installed a few Netscreen IDP products that effectively
deal with Kazaa, AIM, Yahoo IM, MS Messgener, Chat, etc.
I believe the latest filter code from Tipping Point also offer
protection to these services as well.
Both are commercial products.
Regards.
-boni
>
> --__--__--
>
> Message: 1
> From: "Bruce Smith" <bruce_the_loon@worldonline.co.za>
> To: "Dante Fressone" <FressoneD@officenet.com>
> Cc: <firewall-wizards@honor.icsalabs.com>
> Subject: Re: [fw-wiz] Blocking Kazaa
> Date: Thu, 26 Jun 2003 21:27:07 +0200
>
> I would add my voice to Paul's, setting a proxy up would solve your problem.
>
> We found that we successfully blocked new installations of Kazaa by blocking
> TCP and UDP packets going to port 1214 and also, oddly enough, sourcing from
> 1214 on the inside of our network. That coupled with a blanket port 80 block
> has prevented new Kazaa instances from connecting. We've been purging the
> existing installations by using the PS Tools package to remotely search and
> destroy the Kazaa folder.
>
> Regards
>
> Bruce
>
>
> ----- Original Message -----
> From: "Paul Armstrong" <army@cyber.com.au>
> To: "Dante Fressone" <FressoneD@officenet.com>
> Cc: <firewall-wizards@honor.icsalabs.com>
> Sent: Thursday, June 26, 2003 7:04 AM
> Subject: Re: [fw-wiz] Blocking Kazaa
>
>
>
>>On Wed, Jun 25, 2003 at 03:20:54PM -0300, Dante Fressone wrote:
>>
>>>Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
>>>seems like it's using port 80 now,,,,and I can't drop that port because
>
> web
>
>>>wont work.....
>>>
>>>Any ideas?
>>
>>Use a HTTP proxy such as Squid and only allow traffic to port 80 from the
>>proxy.
>>
>>This has other advantages such as faster response time for cached objects,
>>general filtering (e.g. if your policy says people aren't allowed to
>
> download
>
>>anything with a .vbs extension) and will save you money if you pay by the
>
> byte
>
>>(or if you pay for pipe size and the traffic reduction means you don't
>
> need
>
>>such a large pipe).
>>
>>Paul
>>_______________________________________________
>>firewall-wizards mailing list
>>firewall-wizards@honor.icsalabs.com
>>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
> --__--__--
>
> Message: 2
> From: Ste Jones <root@networkpenetration.com>
> To: firewall-wizards@honor.icsalabs.com
> Date: Thu, 26 Jun 2003 23:36:35 +0100
> Reply-To: root@networkpenetration.com
> Organization: Network Penetration
> Subject: [fw-wiz] Distributed port scanning using OpenBSD's packet filter
>
> By using openBSD's packet filter pf one can utilize the NAT address pools added into OpenBSD 3.3 to aid in distributed port scanning.
>
> http://www.networkpenetration.com/pfdistnatscan.html
>
> --
> ste jones
> root@networkpenetration.com
>
>
>
>
> --__--__--
>
> Message: 3
> From: "Danny Salinas" <salinasd@harlingen.isd.tenet.edu>
> To: <firewall-wizards@honor.icsalabs.com>
> Subject: RE: [fw-wiz] Blocking Kazaa
> Date: Thu, 26 Jun 2003 08:25:52 -0500
>
> You might try blocking the destination ip address. I think the kazaa
> application tries to contact the "mother ship" every time it fires up.
>
> Hope this helps..
> Danny Salinas
>
> Network Specialist
> Harlingen C.I.S.D.
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Dante
> Fressone
> Sent: Wednesday, June 25, 2003 1:21 PM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Blocking Kazaa
>
>
> Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
> seems like it's using port 80 now,,,,and I can't drop that port because web
> wont work.....
>
>
> Any ideas?
>
>
> Thanks!
>
>
> Dante Fressone
> Networking
> e-mail: fressoned@officenet.com
> Tel: 54-(11)-4126-2728
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> --__--__--
>
> Message: 4
> Subject: RE: [fw-wiz] Blocking Kazaa
> Date: Thu, 26 Jun 2003 08:43:31 -0500
> From: "James Baumgardner" <jbaumgardner@primarycarenet.org>
> To: <firewall-wizards@honor.icsalabs.com>
>
> I can't seem to find anything that isn't commercial (expensive) to help
> me out with this, so I just have to monitor, slap hand, monitor ...
> Rinse ... Repeat. =20
>
> I would love to hear if someone has a way to block it with a PIX.
>
> -----Original Message-----
> From: Dante Fressone [mailto:FressoneD@officenet.com]=20
> Sent: Wednesday, June 25, 2003 1:21 PM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Blocking Kazaa
>
>
> Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
> seems like it's using port 80 now,,,,and I can't drop that port because
> web wont work.....
>
>
> Any ideas?
>
>
> Thanks!
>
>
> Dante Fressone
> Networking
> e-mail: fressoned@officenet.com
> Tel: 54-(11)-4126-2728
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> --__--__--
>
> Message: 5
> Date: Thu, 26 Jun 2003 16:08:59 -0400
> From: "Pettus, Duane R." <dpettus@GryphonLC.com>
> To: <firewall-wizards@nfr.net>
> Subject: [fw-wiz] I am having a problem with check point and I need a little help
>
> Yeah, I was having a problem with this checkpoint crap. =20
> My firewall server when connected to the checkpoint services on any =
> internal NIC Card will not open a web page.=20
>
> Let me give you the run down:
>
> 1 2000 server (Running Check point) (10.0.0.100-internal network ; =
> 127.0.0.1-external network ; 10.20.0.1 - DMZ )
> 1 workstation (10.0.0.1 internal)
> 1 workstation (10.20.0.2 web server)
> 1 2003 server (10.0.0.3)
> 1 workstation simulating the internet (172.0.0.2 & connection to the =
> internet & DNS for the test environment)
>
> This is not a problem when I just have the Checkpoint service running on =
> the external card ONLY.=20
>
> When I turn the service off of the internal cards (10.0.0.100 and =
> 10.20.0.1), I can tracert, ping open a website and it opens correctly.=20
>
> When I turn the service on the internal cards (10.0.0.100 and =
> 10.20.0.1), I can tracert, ping but I cannot open a web page. =20
>
> I am allowing everything on the firewall. It can resolves the web-site =
> (I see that at the bottom), it has the ability of resolving the host =
> name because I can resolve the name in the ping, but it will not open =
> the web page. If I put in the ip address of the website it will not =
> open that either
>
> I have a rule that states to all everything from the internal network
> I have a stealth rule and a cleanup rule that is it.
>
>
>
>
> Duane R. Pettus
> Gryphon Technologies
> Sr. Network Administrator
> dpettus@gryphonlc.com
> 240-387-1000 x409 work
> 301-675-0439 cell
> www.gryphonlc.com
>
>
> --__--__--
>
> Message: 6
> Date: Fri, 27 Jun 2003 08:57:07 -0400 (EDT)
> From: Paul Robertson <proberts@patriot.net>
> To: Dante Fressone <FressoneD@officenet.com>
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Blocking Kazaa
>
> On Wed, 25 Jun 2003, Dante Fressone wrote:
>
>
>>Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
>>seems like it's using port 80 now,,,,and I can't drop that port because web
>>wont work.....
>
>
> http://honor.trusecure.com/pipermail/firewall-wizards/2002-December/013694.html
>
> Also, snort's been mentioned in conjunction with killing the connections,
> so you might want to search on that too too.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> proberts@patriot.net which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
>
>
> --__--__--
>
> Message: 7
> Subject: Re: [fw-wiz] Application Intelligent vs ALG
> To: Frederick M Avolio <fred@avolio.com>
> Cc: firewall-wizards@honor.icsalabs.com
> From: SimonChan@lifeisgreat.com.sg
> Date: Wed, 25 Jun 2003 19:41:41 +0800
>
>
> Hi all,
>
> I would like to thank all for sharing their valuable views on this matter.
>
> For the benefit of the rest of the folks, the answer is in volume 4 of
> Information Security Managment Handbook Chapter 9 - an examination of
> Firewall Architectures.
>
> ;-)
>
>
>
> Rgds,
>
> Simon Chan, MCP/MCSA/CCNA/CCSA/WCSP
> Senior Security Engineer
> Great Eastern Life Assurance Co. Ltd.
>
> ------------------------------------------------------------------------------------
>
> "My statements in this message are personal opinions
> which may have no basis whatsoever in fact."
>
>
>
>
> Frederick M Avolio
> <fred@avolio.com> To: SimonChan@lifeisgreat.com.sg,
> Sent by: firewall-wizards@honor.icsalabs.com
> firewall-wizards-admin@honor.ic cc:
> salabs.com Subject: Re: [fw-wiz] Application Intelligent vs ALG
>
>
> 06/23/2003 09:18 PM
>
>
>
>
>
>
> A fancy proxy.
>
> Three different people from Check Point wrote me in response to a recent
> column of mine, basically asking me if I had heard of this new feature.
>
> I replied with a brief history. In short: Firewall-1 comes on the scene,
> most FW1 users implement it with modules from the TIS FWTK (for adding user
>
> authentication to FTP and TELNET), Check Point's marketing says proxies are
>
> old technology, stateful inspection is the next generation of firewall
> technology (before the term became a product name), people persisted in
> using proxies, CP added "security servers" (proxies by another name), and
> now this.
>
> I asked them, how is this different from application gateways (security
> proxies). I applaud the addition of them (like there are other hybrid
> firewalls). But none of the three folks from CP replied to me.
>
> I have no agenda, except the truth. (Boy, is this guy noble, or what? :-))
> I'd like to know the answer to this: How this is different than application
>
> gateways (if it is), and why is it better than Sidewinder, Firebox, Raptor,
>
> et al.
>
>
> Fred
> Avolio Consulting, Inc.
> 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
> +1 410-309-6910 (voice) +1 410-309-6911 (fax)
> http://www.avolio.com/
> PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
> BBF6 0B45 93C7 3521 CEA0
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>
>
> --__--__--
>
> Message: 8
> Date: Wed, 25 Jun 2003 22:31:44 -0700 (PDT)
> From: James Cutter <JamesCutter@thedoghousemail.com>
> To: firewall-wizards@honor.icsalabs.com
> Cc: fressoned@officenet.com
> Subject: RE: [fw-wiz] Blocking Kazaa
> Reply-To: JamesCutter@thedoghousemail.com
>
> PIX can't do this. Other Cisco gear can't as well.
> There is a Peer to Peer firewall from Akonix (http://www.akonix.com/ ) that you can use.
>
> another option that you might want to try is checkpoint NG (starting at FP3) that can block Peer-to-Peer (including kazaa) applications traversing the firewall on port 80.
>
>
> Original message:
>
>
> Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it seems like it's using port 80 now,,,,and I can't drop that port because web wont work.....
>
>
> Any ideas?
>
>
> Thanks!
>
>
> Dante Fressone
> Networking
> e-mail: fressoned@officenet.com
> Tel: 54-(11)-4126-2728
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _____________________________________________________________
> Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com
>
> _____________________________________________________________
> Select your own custom email address for FREE! Get you@yourchoice.com, No Ads, 6MB, IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag
>
> --__--__--
>
> Message: 9
> Subject: RE: [fw-wiz] Blocking Kazaa
> Date: Fri, 27 Jun 2003 09:24:47 -0400
> From: "Whiteside, Larry [contractor]" <BAE14@SPHQ.SSP.NAVY.MIL>
> To: <firewall-wizards@honor.icsalabs.com>
>
> Due to the way Kazaa functions it is going to be hard to block it via =
> the traditional blocking methods (ports, protocols). The best way to =
> defend against this type of issue is POLICY. I would go straight to the =
> Executives and explain the problem (legality, viruses, trojans, etc.). =
> This is to help facilitate them approving a policy quickly. Once it has =
> been approved get it on the street and begin to punish those people that =
> are breaking the policy. Once a few folks realize this could get them in =
> trouble, it will cut it out. With the economy the way it is the one =
> leverage you have is no one wants to lose their job.
>
> L
> ***************************
> Larry Whiteside Jr.
> Sr. Security Engineer/Security Program Manager
>
>
>
> -----Original Message-----
> From: James Baumgardner [mailto:jbaumgardner@primarycarenet.org]
> Sent: Thursday, June 26, 2003 9:44 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] Blocking Kazaa
>
>
> I can't seem to find anything that isn't commercial (expensive) to help
> me out with this, so I just have to monitor, slap hand, monitor ...
> Rinse ... Repeat. =20
>
> I would love to hear if someone has a way to block it with a PIX.
>
> -----Original Message-----
> From: Dante Fressone [mailto:FressoneD@officenet.com]=20
> Sent: Wednesday, June 25, 2003 1:21 PM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Blocking Kazaa
>
>
> Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
> seems like it's using port 80 now,,,,and I can't drop that port because
> web wont work.....
>
>
> Any ideas?
>
>
> Thanks!
>
>
> Dante Fressone
> Networking
> e-mail: fressoned@officenet.com
> Tel: 54-(11)-4126-2728
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> --__--__--
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> End of firewall-wizards Digest
-- Boni Bruno, CISSP, IAM Chief Technology & Security Officer P:818.226.1773 F:818.883.4604 6110 Variel Avenue, Woodland Hills, CA www.dsw.net _____________________________________________________ Data Systems Worldwide _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Daniel Howe: "RE: [fw-wiz] Blocking Kazaa"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
