RE: Killing Napster and beyond...

[Jürgen Nieveler <Juergen.Nieveler () arxes de>]

> -----Original Message-----
> From: Chris Cappuccio [mailto:chris () empnet com]
>
> So far, most of the blocking works by what we can already do easily...
>
> 1. Block packets to/from IP address ranges of known servers
>
> 2. Block packets to TCP/UDP ports which are known as servers for these
> services
>
> Problems with
>
> 1.
>
> - What else are you blocking ??

The Users will let you know if they miss something. If you want security
(and why else do you have a Firewall), then you block first and ask later.
I've blocked the IP-Adresses for login.icq.com on my firewall, and the only
effect so far was that people were unable to use ICQ.
 
> 2. 
>
> - Any other service that uses the same port will not work

The Users will let you know if they miss something. Of course, any port NOT
necessary would be blocked anyway, because blocking ports is the default
setting for good firewalls.

> - IPs can change, if the client points to a DNS name then it 
> can change as
> often as it wants to

And I can set the DNS name of that server to 127.0.0.1 on my own DNS-Server,
which is the only one my users are going to use.

> - Ports can change, especially if the service is designed to 
> work around
> port-based limitations

Which is why you block the IP and the DNS-Name.

> Solution ? Subscription-based blocking service.  This is a 
> kludge, requires
> frequent changes to your router/firewall, and is basically ugly.

Agreed

> Solution ? NFR type filter which can recognize this kind of 
> traffic and block
> it off ? High overhead, requires frequent updates on 
> router/firewall, and is
> basically ugly.

Agreed

> Maybe a couple of universities who see Napster-type services 
> as a large
> percentage of their traffic... For the most part, the only 
> people I can
> imagine who would be concerned about this are the same people who are
> concerned about blocking porn on the web and that sort of stuff.

Add to this the companies who don't want to get into lawsuits about the "is
Napster legal"-Question.
Add to this companies who don't want private use of the Internet.

Besided, it's not only Napster. If Napster can work through your Firewall,
why shouldn't a Trojan do the same thing?

> IP was designed to work around these sorts of limitations, 
> not with them.

Which is why we got to stay ahead of the Users in this race, I guess.

Mit freundlichen Grüßen / Yours sincerely

Juergen Nieveler
arxes Software Factory AG
UB eCommerce
Tel.: +49/241/16008-327
Fax:  +49/241/16008-354
Email: juergen.nieveler () arxes de
Web: www.arxes.de
PGP: 
2AAB A988 0B80 D53F FC53  3BED 8CC0 2092 922D 8378 (DH)
5ADF A15E 91E4 98DB  2391 0D29 8B08 A884 (RSA)
Disclaimer: Views are mine, not my employers´ 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards