Security Basics mailing list archives
RE: N00b Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 6 Jan 2005 15:55:27 -0800
Paradoxically, this makes them IDEAL in a college setting, where there are services that you *can't* block (but have to ensure that they don't crowd out everything else on the network). If it doesn't work, you have to fix it -- but if it just works *slowly*, people will find something else to do that doesn't chew up bandwidth. Dave Gillett
-----Original Message----- From: Corbett, Tim D. (James Tower) [mailto:TDCorbett () jamestower com] Sent: Thursday, January 06, 2005 10:20 AM To: security basics Subject: RE: N00b Question I agree...a packet shaper would be a gross mis-use for simple blocking. Packet shapers CAN do blocking, but they are better suited for bandwidth throttling, quality of service, and usage tracking (nor are they necessarily cheap). We use one here to manage bandwidth for service agreements for various customers. In this case though, I would do as Mike suggested and simply create an ACL on your router... -----Original Message----- From: Mike [mailto:securitybasics () infinity77 net] Sent: Wednesday, January 05, 2005 11:02 PM To: security basics Subject: Re: N00b Question Since this application only works with standard ports...wouldn't be just as easy to block those ports at the router? josh wrote:There is a great product called packet shaper by packetteer. Thisdeviceblocks traffic at the application level. If a user tries to usegnutella,AIM, iTunes, etc... on a different ports or IP's other that thestandardports and IP's this device will detect it. This device detects the signatures of these application's packets as they pass through thisdevice.I work of a college and as you can imagen our students ate up ourbandwidthwith P2P apps, we purchased this device and saved a whole lot ofbandwidth.I hope this helps. On Wednesday 05 January 2005 15:00, Scott Ladd wrote:The method you mention has man flaws, namely, multiplehosts. AIM forinstance, uses multiple IP address and ports forconnecting. You wouldhave to block an IP Range for that matter. Setting up a firewall isyourbest bet in the end. -SL -----Original Message----- From: Beauford, Jason [mailto:jbeauford () EightInOnePet com] Sent: Monday, January 03, 2005 8:30 AM To: security-basics () lists securityfocus com Subject: RE: N00b Question No need to sit there and block ports. Just block access tothe hoststhese services connect to. For instance I-Tunes: I-Tunes has built in Internet Radio which can suck up my bandwidth. I use Websense to block HTTP and other ports. However, I-Tunes uses a HUGE range of ports. Sure you can block allofthose ports, but it's just much easier to block the site from which I-Tunes gathers it's XML list of Radio stations. Now theproggie justerrors out. MSN and Yahoo Chat all connect to some remote host.Install and fire upEthereal on your PC, Install these programs and sign in. Check your Ethereal Logs and you'll easily be able to identify whichhosts thoseprograms are connecting to. My $.02. Happy New Year All! JMB -----Original Message----- From: G.Crow [mailto:secure.computing () gmail com] Sent: Thursday, December 30, 2004 10:33 PM To: security-basics () lists securityfocus com Subject: RE: N00b Question For blocking certain sites your best bet is a proxy of some sort, presumably transparent. Lots of people on this list will point you towards Squid if you're looking in the open-source realm.You *could*block site IPs in your firewalls (PIX firewalls are almostall, if notall, in the 500-scheme. I haven't looked at the lineup recently.)Thatis, however, not a great solution for a variety of reasons. If you are blocking the web-based email, why do you need toblock theability to upload attachments? For MSN/yahoo chat you can block the ports in your externalfirewall.This will stop 95% of your users (possibly more if MSN/yahoo don't accept connections on any port like AIM does.) You can also see ifyourinfrastructure supports deep packet inspection - Cisco has a good variety of capabilities regarding that, but I can't for thelife of meremember the acronym, and my Cisco books are in the office. I avoidit,myself, since it punts packets to the processor, but that doesn'tmatteras much with a slower external link. Quotas established for web surfing? Do you mean accounting percomputer(he's been on the web *this* much today) or do you actually meancuttingit off after a certain point per day? Logging and log analysis iseasyenough, but true quotas would require authentication ofsome sort mostlikely, and are probably more trouble then they're worth. Ifbandwidthis an issue I would just implement QoS and put port 80/443traffic in alow CoS. Gabe-----Original Message----- From: Harshal Dedhia [mailto:harshal.dedhia () skybird-travel com] Sent: December 30, 2004 11:42 AM To: security-basics () securityfocus com Subject: N00b Question Hi, I am very new to the firewall and network security world. I have a situation wherein I need to block webbased email access and the ability to upload attachments to web-based email. I also need to ensure that MSN/yahoo chat is disabled and quotas areestablished forweb surfing. Is there an Open Source solution to this problem. The network comprises Cisco Routers and 500 series firewalls. Cheers! Harshal
Current thread:
- RE: N00b Question Beauford, Jason (Jan 05)
- <Possible follow-ups>
- Re: N00b Question jayson . agagnier (Jan 05)
- RE: N00b Question Scott Ladd (Jan 05)
- Re: N00b Question josh (Jan 05)
- Re: N00b Question Mike (Jan 06)
- Re: N00b Question josh (Jan 05)
- RE: N00b Question Beauford, Jason (Jan 05)
- RE: N00b Question Corbett, Tim D. (James Tower) (Jan 06)
- RE: N00b Question David Gillett (Jan 07)