Security Basics mailing list archives
RE: Kazza and ISA server
From: Tony Fondo <Tony.Fondo () patlive com>
Date: Tue, 26 Aug 2003 12:12:44 -0400
You can also filter by application name... Go to Client Configuration (On ISA Management) Firewall Client, Application Settings; setup one for the executable name(s) and Key of Disable set to 1. You must understand this will not stop it if the file is renamed- But you can easily enough look through the fwlogs it creates to see this. Hope that Helps, -Tony -----Original Message----- From: Maher Odeh [mailto:rax () netvision net il] Sent: Tuesday, August 26, 2003 1:46 AM To: Cosme Morales; Alaa Shaheen; security-basics () securityfocus com Subject: RE: Kazza and ISA server Dear Cosme Problem here is that Kazaa uses port 80 to connect as well Even if you use this method of ALL blocked except for HTTP SMTP Kazaa will use this port and connect... The only way to block it is to look for the headers sent on port 80 And if you see X-Kazaa header, then drop it, this can be done on FW-1 via the Smart Defense or via MS ISA server with the help of URLScan templates to block a specific headers.. Thanks, -----Original Message----- From: Cosme Morales [mailto:cosme () geisha com mx] Sent: Monday, August 25, 2003 11:20 PM To: Maher Odeh; Alaa Shaheen; security-basics () securityfocus com Subject: Re: Kazza and ISA server may you want to able only the web browsing, and the mail ports(25,110) so you are going to have blocked by default that services. in ISA server whatever is not allowed expresally is denied. in your "protocols rule" only allow tcp for 80, 25 and 110, on a rule maybe named "correct inet". usually there are configured a rule named (Internet) than allows everything. if you make a "protocol rule" than only allows what I mentioned, chance it works like you want. hope it works (I tested on my own ISA server) for you. on dude mail me. ----- Original Message ----- From: "Maher Odeh" <rax () netvision net il> To: "Alaa Shaheen" <Ashaheen () aedegypt org>; <security-basics () securityfocus com> Sent: Sunday, August 24, 2003 3:39 AM Subject: RE: Kazza and ISA server Taken from: http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/21/pid/802/qid/46481 4 First, I am not familiar with ISA server (mostly checkpoint) but, maybe blocking access based on headers is a better way. it is possible to make kazaa work with port 80 rather than 1214. So they will pass. But you may block certain headers like: "GET /.hash*" "UserAgent: KazaaClient" "X-Kazaa*" (a few headers start with this) And according to Microsoft, you can do this with URLScan Web Filter for ISA: http://download.microsoft.com/download/4/c/b/4cbe9a1f-8d97-4c71-b6b3-d96 7924981db/urlscan_readme.htm I had no chance to try this at ISA server but I hope it works for you. greetz, Rule0 -----Original Message----- From: Alaa Shaheen [mailto:Ashaheen () aedegypt org] Sent: Friday, August 22, 2003 5:43 PM To: security-basics () securityfocus com Subject: Kazza and ISA server Hi All I am having a little problem of controlling the traffic passing through my ISA server, specially the P2P file sharing programs such as Kazza and Imesh Did anyone knows how to block Kazza traffic using the ISA server ? Thanks in advance for your help Alaa Shaheen ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Kazza and ISA server Alaa Shaheen (Aug 22)
- <Possible follow-ups>
- RE: Kazza and ISA server Joey Peloquin (Aug 25)
- Re: Kazza and ISA server Shaikh Al Hadi Rasool (Aug 26)
- RE: Kazza and ISA server Maher Odeh (Aug 25)
- Re: Kazza and ISA server Shaikh Al Hadi Rasool (Aug 26)
- Re: Kazza and ISA server Cosme Morales (Aug 26)
- RE: Kazza and ISA server Maher Odeh (Aug 26)
- RE: Kazza and ISA server Tony Fondo (Aug 26)
- Re: Kazza and ISA server Marc Ciel (Aug 26)
- RE: Kazza and ISA server Tim Donahue (Aug 26)