RE: N00b Question

["David Gillett" <gillettdavid () fhda edu>]

  Paradoxically, this makes them IDEAL in a college setting, where there
are services that you *can't* block (but have to ensure that they don't
crowd out everything else on the network).  If it doesn't work, you have
to fix it -- but if it just works *slowly*, people will find something else
to do that doesn't chew up bandwidth.

Dave Gillett


> -----Original Message-----
> From: Corbett, Tim D. (James Tower) [mailto:TDCorbett () jamestower com]
> Sent: Thursday, January 06, 2005 10:20 AM
> To: security basics
> Subject: RE: N00b Question
>
>
>  I agree...a packet shaper would be a gross mis-use for 
> simple blocking.
> Packet shapers CAN do blocking, but they are better suited 
> for bandwidth
> throttling, quality of service, and usage tracking (nor are they
> necessarily cheap).   We use one here to manage bandwidth for service
> agreements for various customers.  In this case though, I would do as
> Mike suggested and simply create an ACL on your router...
>
> -----Original Message-----
> From: Mike [mailto:securitybasics () infinity77 net] 
> Sent: Wednesday, January 05, 2005 11:02 PM
> To: security basics
> Subject: Re: N00b Question
>
> Since this application only works with standard 
> ports...wouldn't be just
>
> as easy to block those ports at the router?
>
>
> josh wrote:
> > There is a great product called  packet shaper by packetteer.  This
> device 
> > blocks traffic at the application level.  If a user tries to use
> gnutella, 
> > AIM, iTunes, etc... on a different ports or IP's other that the
> standard 
> > ports and IP's this device will detect it.  This device detects the 
> > signatures of these application's packets as they pass through this
> device.  
> > I work of a college and as you can imagen our students ate up our
> bandwidth 
> > with P2P apps, we purchased this device and saved a whole lot of
> bandwidth.
> > I hope this helps.
> >
> > On Wednesday 05 January 2005 15:00, Scott Ladd wrote:
> >
> > > The method you mention has man flaws, namely, multiple 
> hosts. AIM for
> > > instance, uses multiple IP address and ports for 
> connecting. You would
> > > have to block an IP Range for that matter. Setting up a firewall is
> your
> > > best bet in the end.
> > >
> > > -SL
> > >
> > > -----Original Message-----
> > > From: Beauford, Jason [mailto:jbeauford () EightInOnePet com]
> > > Sent: Monday, January 03, 2005 8:30 AM
> > > To: security-basics () lists securityfocus com
> > > Subject: RE: N00b Question
> > >
> > > No need to sit there and block ports.  Just block access to 
> the hosts
> > > these services connect to.
> > >
> > > For instance I-Tunes:  I-Tunes has built in Internet Radio which can
> > > suck up my bandwidth.  I use Websense to block HTTP and other ports.
> > > However, I-Tunes uses a HUGE range of ports.  Sure you can block all
> of
> > > those ports, but it's just much easier to block the site from which
> > > I-Tunes gathers it's XML list of Radio stations.  Now the 
> proggie just
> > > errors out.
> > >
> > > MSN and Yahoo Chat all connect to some remote host.  
> Install and fire
> up
> > > Ethereal on your PC, Install these programs and sign in.  Check your
> > > Ethereal Logs and you'll easily be able to identify which 
> hosts those
> > > programs are connecting to.
> > >
> > > My $.02.  Happy New Year All!
> > >
> > > JMB
> > >
> > > -----Original Message-----
> > > From: G.Crow [mailto:secure.computing () gmail com]
> > > Sent: Thursday, December 30, 2004 10:33 PM
> > > To: security-basics () lists securityfocus com
> > > Subject: RE: N00b Question
> > >
> > >
> > > For blocking certain sites your best bet is a proxy of some sort,
> > > presumably transparent.  Lots of people on this list will point you
> > > towards Squid if you're looking in the open-source realm.  
> You *could*
> > > block site IPs in your firewalls (PIX firewalls are almost 
> all, if not
> > > all, in the 500-scheme.  I haven't looked at the lineup recently.)
> That
> > > is, however, not a great solution for a variety of reasons.
> > >
> > > If you are blocking the web-based email, why do you need to 
> block the
> > > ability to upload attachments?
> > >
> > > For MSN/yahoo chat you can block the ports in your external 
> firewall.
> > > This will stop 95% of your users (possibly more if MSN/yahoo don't
> > > accept connections on any port like AIM does.)  You can also see if
> your
> > > infrastructure supports deep packet inspection - Cisco has a good
> > > variety of capabilities regarding that, but I can't for the 
> life of me
> > > remember the acronym, and my Cisco books are in the office.  I avoid
> it,
> > > myself, since it punts packets to the processor, but that doesn't
> matter
> > > as much with a slower external link.
> > >
> > > Quotas established for web surfing?  Do you mean accounting per
> computer
> > > (he's been on the web *this* much today) or do you actually mean
> cutting
> > > it off after a certain point per day?  Logging and log analysis is
> easy
> > > enough, but true quotas would require authentication of 
> some sort most
> > > likely, and are probably more trouble then they're worth.  If
> bandwidth
> > > is an issue I would just implement QoS and put port 80/443 
> traffic in
> a
> > > low CoS.
> > >
> > > Gabe
> > >
> > >
> > > > -----Original Message-----
> > > > From: Harshal Dedhia [mailto:harshal.dedhia () skybird-travel com]
> > > > Sent: December 30, 2004 11:42 AM
> > > > To: security-basics () securityfocus com
> > > > Subject: N00b Question
> > > >
> > > > Hi,
> > > > I am very new to the firewall and network security world. I have a
> > > > situation wherein  I need to block webbased email access and the
> > > > ability to upload attachments to web-based email. I also need to
> > > > ensure that MSN/yahoo chat is disabled and quotas are 
> established for
> > > > web surfing.
> > > >
> > > > Is there an Open Source solution to this problem. The network
> > > > comprises Cisco Routers and 500 series firewalls.
> > > >
> > > > Cheers!
> > > > Harshal