RE: N00b Question

From: Corbett, Tim D. (James Tower) (TDCorbett_at_jamestower.com)
Date: 01/06/05

  • Next message: Kelly Martin: "SF new column announcement: Microsoft Anti-Spyware?"
    Date: Thu, 6 Jan 2005 12:20:01 -0600
    To: "security basics" <security-basics@securityfocus.com>
    
    

     I agree...a packet shaper would be a gross mis-use for simple blocking.
    Packet shapers CAN do blocking, but they are better suited for bandwidth
    throttling, quality of service, and usage tracking (nor are they
    necessarily cheap). We use one here to manage bandwidth for service
    agreements for various customers. In this case though, I would do as
    Mike suggested and simply create an ACL on your router...

    -----Original Message-----
    From: Mike [mailto:securitybasics@infinity77.net]
    Sent: Wednesday, January 05, 2005 11:02 PM
    To: security basics
    Subject: Re: N00b Question

    Since this application only works with standard ports...wouldn't be just

    as easy to block those ports at the router?

    josh wrote:
    > There is a great product called packet shaper by packetteer. This
    device
    > blocks traffic at the application level. If a user tries to use
    gnutella,
    > AIM, iTunes, etc... on a different ports or IP's other that the
    standard
    > ports and IP's this device will detect it. This device detects the
    > signatures of these application's packets as they pass through this
    device.
    > I work of a college and as you can imagen our students ate up our
    bandwidth
    > with P2P apps, we purchased this device and saved a whole lot of
    bandwidth.
    > I hope this helps.
    >
    > On Wednesday 05 January 2005 15:00, Scott Ladd wrote:
    >
    >>The method you mention has man flaws, namely, multiple hosts. AIM for
    >>instance, uses multiple IP address and ports for connecting. You would
    >>have to block an IP Range for that matter. Setting up a firewall is
    your
    >>best bet in the end.
    >>
    >>-SL
    >>
    >>-----Original Message-----
    >>From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
    >>Sent: Monday, January 03, 2005 8:30 AM
    >>To: security-basics@lists.securityfocus.com
    >>Subject: RE: N00b Question
    >>
    >>No need to sit there and block ports. Just block access to the hosts
    >>these services connect to.
    >>
    >>For instance I-Tunes: I-Tunes has built in Internet Radio which can
    >>suck up my bandwidth. I use Websense to block HTTP and other ports.
    >>However, I-Tunes uses a HUGE range of ports. Sure you can block all
    of
    >>those ports, but it's just much easier to block the site from which
    >>I-Tunes gathers it's XML list of Radio stations. Now the proggie just
    >>errors out.
    >>
    >>MSN and Yahoo Chat all connect to some remote host. Install and fire
    up
    >>Ethereal on your PC, Install these programs and sign in. Check your
    >>Ethereal Logs and you'll easily be able to identify which hosts those
    >>programs are connecting to.
    >>
    >>My $.02. Happy New Year All!
    >>
    >>JMB
    >>
    >>-----Original Message-----
    >>From: G.Crow [mailto:secure.computing@gmail.com]
    >>Sent: Thursday, December 30, 2004 10:33 PM
    >>To: security-basics@lists.securityfocus.com
    >>Subject: RE: N00b Question
    >>
    >>
    >>For blocking certain sites your best bet is a proxy of some sort,
    >>presumably transparent. Lots of people on this list will point you
    >>towards Squid if you're looking in the open-source realm. You *could*
    >>block site IPs in your firewalls (PIX firewalls are almost all, if not
    >>all, in the 500-scheme. I haven't looked at the lineup recently.)
    That
    >>is, however, not a great solution for a variety of reasons.
    >>
    >>If you are blocking the web-based email, why do you need to block the
    >>ability to upload attachments?
    >>
    >>For MSN/yahoo chat you can block the ports in your external firewall.
    >>This will stop 95% of your users (possibly more if MSN/yahoo don't
    >>accept connections on any port like AIM does.) You can also see if
    your
    >>infrastructure supports deep packet inspection - Cisco has a good
    >>variety of capabilities regarding that, but I can't for the life of me
    >>remember the acronym, and my Cisco books are in the office. I avoid
    it,
    >>myself, since it punts packets to the processor, but that doesn't
    matter
    >>as much with a slower external link.
    >>
    >>Quotas established for web surfing? Do you mean accounting per
    computer
    >>(he's been on the web *this* much today) or do you actually mean
    cutting
    >>it off after a certain point per day? Logging and log analysis is
    easy
    >>enough, but true quotas would require authentication of some sort most
    >>likely, and are probably more trouble then they're worth. If
    bandwidth
    >>is an issue I would just implement QoS and put port 80/443 traffic in
    a
    >>low CoS.
    >>
    >>Gabe
    >>
    >>
    >>>-----Original Message-----
    >>>From: Harshal Dedhia [mailto:harshal.dedhia@skybird-travel.com]
    >>>Sent: December 30, 2004 11:42 AM
    >>>To: security-basics@securityfocus.com
    >>>Subject: N00b Question
    >>>
    >>>Hi,
    >>>I am very new to the firewall and network security world. I have a
    >>>situation wherein I need to block webbased email access and the
    >>>ability to upload attachments to web-based email. I also need to
    >>>ensure that MSN/yahoo chat is disabled and quotas are established for
    >>>web surfing.
    >>>
    >>>Is there an Open Source solution to this problem. The network
    >>>comprises Cisco Routers and 500 series firewalls.
    >>>
    >>>Cheers!
    >>>Harshal
    >
    >


  • Next message: Kelly Martin: "SF new column announcement: Microsoft Anti-Spyware?"

    Relevant Pages

    • FS BNIB Draktek High Performance 2930 Router (50 meg VM compatible)
      ... and BoD (Bandwidth on Demand); it also features advanced bandwidth control ... It allows users to access Internet and combine the bandwidth of the dual WAN ... Without the necessity of installing VPN client on individual PC, ... The two dedicated ethernet WAN ports can provide load balancing, ...
      (uk.adverts.computer)
    • FS: Draytek 2930 Router BNIB
      ... and BoD (Bandwidth on Demand); it also features advanced bandwidth control ... It allows users to access Internet and combine the bandwidth of the dual WAN ... Without the necessity of installing VPN client on individual PC, ... The two dedicated ethernet WAN ports can provide load balancing, ...
      (uk.adverts.computer)
    • Re: Identifying a computer
      ... A protocol analyser will identify what he's doing and what ports are ... > We have limited internet-bandwidth, and therefore it is necessary to make ... > is taking to much of the bandwidth, as others will not be able to use the ... I have also tried to ping and ...
      (Security-Basics)
    • RE: N00b Question
      ... Paradoxically, this makes them IDEAL in a college setting, where there ... to do that doesn't chew up bandwidth. ... >> There is a great product called packet shaper by packetteer. ... > the hosts ...
      (Security-Basics)
    • Re: Firewall for blocking P2P programs like fasttrack, morpheus, Gnutella and so on
      ... We at a dormitory are having troubles with some people sharing files using ... The simplest solution for you would be to use a product like packet shaper ... bandwidth used by p2p programs to make it unusable. ... If you need to report which computers that are using p2p apps you could use ...
      (comp.security.firewalls)