RE: Kazza and ISA server

["Maher Odeh" <rax () netvision net il>]

Dear Cosme
Problem here is that Kazaa uses port 80 to connect as well
Even if you use this method of ALL blocked except for HTTP SMTP
Kazaa will use this port and connect...

The only way to block it is to look for the headers sent on port 80
And if you see X-Kazaa header, then drop it, this can be done on FW-1
via the Smart Defense or via MS ISA server with the help of URLScan
templates to block a specific headers..


Thanks,



-----Original Message-----
From: Cosme Morales [mailto:cosme () geisha com mx] 
Sent: Monday, August 25, 2003 11:20 PM
To: Maher Odeh; Alaa Shaheen; security-basics () securityfocus com
Subject: Re: Kazza and ISA server

may you want to able only the web browsing, and the mail ports(25,110)
so you are going to have blocked by default that services.

in ISA server whatever is not allowed expresally is denied.

in your "protocols rule" only allow tcp for 80, 25 and 110, on a rule
maybe
named "correct inet".
usually there are configured a rule named (Internet) than allows
everything.

if you make a "protocol rule" than only allows what I mentioned, chance
it
works like you want.

hope it works (I tested on my own ISA server) for you.

on dude mail me.

----- Original Message ----- 
From: "Maher Odeh" <rax () netvision net il>
To: "Alaa Shaheen" <Ashaheen () aedegypt org>;
<security-basics () securityfocus com>
Sent: Sunday, August 24, 2003 3:39 AM
Subject: RE: Kazza and ISA server


Taken from:
http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/21/pid/802/qid/46481
4



First, I am not familiar with ISA server (mostly checkpoint) but, maybe
blocking access based on headers is a better way.
it is possible to make kazaa work with port 80 rather than 1214. So they
will pass.
But you may block certain headers like:
"GET /.hash*"
"UserAgent: KazaaClient"
"X-Kazaa*" (a few headers start with this)

And according to Microsoft, you can do this with URLScan Web Filter for
ISA:
http://download.microsoft.com/download/4/c/b/4cbe9a1f-8d97-4c71-b6b3-d96
7924981db/urlscan_readme.htm

I had no chance to try this at ISA server but I hope it works for you.

greetz,

Rule0

-----Original Message-----
From: Alaa Shaheen [mailto:Ashaheen () aedegypt org]
Sent: Friday, August 22, 2003 5:43 PM
To: security-basics () securityfocus com
Subject: Kazza and ISA server

Hi All

I am having a little problem of controlling the traffic passing through
my ISA server, specially the P2P file sharing programs such as Kazza and
Imesh

Did anyone knows how to block Kazza traffic using the ISA server ?

Thanks in advance for your help

Alaa Shaheen

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----




------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event
in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----


 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------