Firewall Wizards mailing list archives

Re: Blocking Kazaa

From: "Boni Bruno" <boni () dsw net>
Date: Fri, 27 Jun 2003 09:59:10 -0700

Another alternative to proxies are transparent in-line IDS/IDP products.

I've installed a few Netscreen IDP products that effectively
deal with Kazaa, AIM, Yahoo IM, MS Messgener, Chat, etc.

I believe the latest filter code from Tipping Point also offer

protection to these services as well.

Both are commercial products.

Regards.

-boni

--__--__--

Message: 1
From: "Bruce Smith" <bruce_the_loon () worldonline co za>
To: "Dante Fressone" <FressoneD () officenet com>
Cc: <firewall-wizards () honor icsalabs com>
Subject: Re: [fw-wiz] Blocking Kazaa
Date: Thu, 26 Jun 2003 21:27:07 +0200

I would add my voice to Paul's, setting a proxy up would solve your problem.

We found that we successfully blocked new installations of Kazaa by blocking
TCP and UDP packets going to port 1214 and also, oddly enough, sourcing from
1214 on the inside of our network. That coupled with a blanket port 80 block
has prevented new Kazaa instances from connecting. We've been purging the
existing installations by using the PS Tools package to remotely search and
destroy the Kazaa folder.

Regards

Bruce

----- Original Message -----From: "Paul Armstrong" <army () cyber com au>

To: "Dante Fressone" <FressoneD () officenet com>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Thursday, June 26, 2003 7:04 AM
Subject: Re: [fw-wiz] Blocking Kazaa

On Wed, Jun 25, 2003 at 03:20:54PM -0300, Dante Fressone wrote:

Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
seems like it's using port 80 now,,,,and I can't drop that port because

web

wont work.....

Any ideas?


Use a HTTP proxy such as Squid and only allow traffic to port 80 from the
proxy.

This has other advantages such as faster response time for cached objects,
general filtering  (e.g. if your policy says people aren't allowed to


download

anything with a .vbs extension) and will save you money if you pay by the


byte

(or if you pay for pipe size and the traffic reduction means you don't


need

such a large pipe).

Paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

Message: 2
From: Ste Jones <root () networkpenetration com>
To: firewall-wizards () honor icsalabs com
Date: Thu, 26 Jun 2003 23:36:35 +0100
Reply-To: root () networkpenetration com
Organization: Network Penetration
Subject: [fw-wiz] Distributed port scanning using OpenBSD's packet filter

By using openBSD's packet filter pf one can utilize the NAT address pools added into OpenBSD 3.3 to aid in  distributed 
port scanning.

http://www.networkpenetration.com/pfdistnatscan.html

--
ste jones
root () networkpenetration com

--__--__--

Message: 3
From: "Danny Salinas" <salinasd () harlingen isd tenet edu>
To: <firewall-wizards () honor icsalabs com>
Subject: RE: [fw-wiz] Blocking Kazaa
Date: Thu, 26 Jun 2003 08:25:52 -0500

You might try blocking the destination ip address.  I think the kazaa
application tries to contact the "mother ship" every time it fires up.

Hope this helps..
Danny Salinas

Network Specialist
Harlingen C.I.S.D.

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Dante
Fressone
Sent: Wednesday, June 25, 2003 1:21 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Blocking Kazaa

Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
seems like it's using port 80 now,,,,and I can't drop that port because web
wont work.....

Any ideas?

Thanks!

Dante Fressone
Networking
e-mail: fressoned () officenet com
Tel: 54-(11)-4126-2728

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

Message: 4
Subject: RE: [fw-wiz] Blocking Kazaa
Date: Thu, 26 Jun 2003 08:43:31 -0500
From: "James Baumgardner" <jbaumgardner () primarycarenet org>
To: <firewall-wizards () honor icsalabs com>

I can't seem to find anything that isn't commercial (expensive) to help
me out with this, so I just have to monitor, slap hand, monitor ...
Rinse ... Repeat. =20

I would love to hear if someone has a way to block it with a PIX.

-----Original Message-----
From: Dante Fressone [mailto:FressoneD () officenet com]=20
Sent: Wednesday, June 25, 2003 1:21 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Blocking Kazaa

Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
seems like it's using port 80 now,,,,and I can't drop that port because
web wont work.....

Any ideas?

Thanks!

Dante Fressone
Networking
e-mail: fressoned () officenet com
Tel: 54-(11)-4126-2728

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

Message: 5
Date: Thu, 26 Jun 2003 16:08:59 -0400
From: "Pettus, Duane R." <dpettus () GryphonLC com>
To: <firewall-wizards () nfr net>
Subject: [fw-wiz] I am having a problem with check point and I need a little help

Yeah, I was having a problem with this checkpoint crap. =20
My firewall server when connected to the checkpoint services on any =
internal NIC Card will not open a web page.=20

Let me give you the run down:

1 2000 server (Running Check point) (10.0.0.100-internal network ; =
127.0.0.1-external network ;  10.20.0.1 - DMZ )
1 workstation (10.0.0.1 internal)
1 workstation (10.20.0.2 web server)
1 2003 server (10.0.0.3)
1 workstation simulating the internet (172.0.0.2 & connection to the =
internet & DNS for the test environment)

This is not a problem when I just have the Checkpoint service running on =
the external card ONLY.=20

When I turn the service off of the internal cards (10.0.0.100 and =
10.20.0.1), I can tracert, ping open a website and it opens correctly.=20

When I turn the service on the internal cards (10.0.0.100 and =
10.20.0.1), I can tracert, ping but I cannot open a web page. =20

I am allowing everything on the firewall.  It can resolves the web-site =
(I see that at the bottom), it has the ability of resolving the host =
name because I can resolve the name in the ping, but it will not open =
the web page.  If I put in the ip address of the website it will not =
open that either

I have a rule that states to all everything from the internal network
I have a stealth rule and a cleanup rule that is it.

Duane R. Pettus
Gryphon Technologies
Sr. Network Administrator
dpettus () gryphonlc com
240-387-1000 x409 work
301-675-0439 cell
www.gryphonlc.com

--__--__--

Message: 6
Date: Fri, 27 Jun 2003 08:57:07 -0400 (EDT)
From: Paul Robertson <proberts () patriot net>
To: Dante Fressone <FressoneD () officenet com>
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Blocking Kazaa

On Wed, 25 Jun 2003, Dante Fressone wrote:

Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
seems like it's using port 80 now,,,,and I can't drop that port because web
wont work.....



http://honor.trusecure.com/pipermail/firewall-wizards/2002-December/013694.html

Also, snort's been mentioned in conjunction with killing the connections,so you might want to search on that too too.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation


--__--__--

Message: 7
Subject: Re: [fw-wiz] Application Intelligent vs ALG
To: Frederick M Avolio <fred () avolio com>
Cc: firewall-wizards () honor icsalabs com
From: SimonChan () lifeisgreat com sg
Date: Wed, 25 Jun 2003 19:41:41 +0800


Hi all,

I would like to thank all for sharing their valuable views on this matter.

For the benefit of the rest of the folks, the answer is in volume 4 of
Information Security Managment Handbook Chapter 9 - an examination of
Firewall Architectures.

;-)



Rgds,

Simon Chan,   MCP/MCSA/CCNA/CCSA/WCSP
Senior Security Engineer
Great Eastern Life Assurance Co. Ltd.

------------------------------------------------------------------------------------

"My statements in this message are personal opinions
which may have no basis whatsoever in fact."

Frederick M Avolio<fred () avolio com> To: SimonChan () lifeisgreat com sg,Sent by: firewall-wizards () honor icsalabs comfirewall-wizards-admin () honor ic cc:salabs.com Subject: Re: [fw-wiz] Application Intelligent vs ALG06/23/2003 09:18 PM




A fancy proxy.

Three different people from Check Point wrote me in response to a recent
column of mine, basically asking me if I had heard of this new feature.

I replied with a brief history. In short: Firewall-1 comes on the scene,
most FW1 users implement it with modules from the TIS FWTK (for adding user

authentication to FTP and TELNET), Check Point's marketing says proxies are

old technology, stateful inspection is the next generation of firewall
technology (before the term became a product name), people persisted in
using proxies, CP added "security servers" (proxies by another name), and
now this.

I asked them, how is this different from application gateways (security
proxies). I applaud the addition of them (like there are other hybrid
firewalls). But none of the three folks from CP replied to me.

I have no agenda, except the truth. (Boy, is this guy noble, or what? :-))
I'd like to know the answer to this: How this is different than application

gateways (if it is), and why is it better than Sidewinder, Firebox, Raptor,

et al.


Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
PGP Key Fingerprint:    928D 0903 934F 8CFA 6124
                         BBF6 0B45 93C7 3521 CEA0

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards





--__--__--

Message: 8
Date: Wed, 25 Jun 2003 22:31:44 -0700 (PDT)
From: James Cutter <JamesCutter () thedoghousemail com>
To: firewall-wizards () honor icsalabs com
Cc: fressoned () officenet com
Subject: RE: [fw-wiz] Blocking Kazaa
Reply-To: JamesCutter () thedoghousemail com

PIX can't do this. Other Cisco gear can't as well.There is a Peer to Peer firewall from Akonix (http://www.akonix.com/ ) that you can use.another option that you might want to try is checkpoint NG (starting at FP3) that can block Peer-to-Peer (including kazaa) applications traversing the firewall on port 80.

Original message:


Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it seems like it's using port 80 now,,,,and I 
can't drop that port because web wont work.....


Any ideas?


Thanks!


Dante Fressone
Networking
e-mail: fressoned () officenet com
Tel: 54-(11)-4126-2728

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_____________________________________________________________
Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com, No Ads, 6MB, IMAP, POP, SMTP & more! 
http://www.everyone.net/selectmail?campaign=tag

--__--__--

Message: 9
Subject: RE: [fw-wiz] Blocking Kazaa
Date: Fri, 27 Jun 2003 09:24:47 -0400
From: "Whiteside, Larry [contractor]" <BAE14 () SPHQ SSP NAVY MIL>
To: <firewall-wizards () honor icsalabs com>

Due to the way Kazaa functions it is going to be hard to block it via =
the traditional blocking methods (ports, protocols). The best way to =
defend against this type of issue is POLICY. I would go straight to the =
Executives and explain the problem (legality, viruses, trojans, etc.). =
This is to help facilitate them approving a policy quickly. Once it has =
been approved get it on the street and begin to punish those people that =
are breaking the policy. Once a few folks realize this could get them in =
trouble, it will cut it out. With the economy the way it is the one =
leverage you have is no one wants to lose their job.

L
***************************
Larry Whiteside Jr.
Sr. Security Engineer/Security Program Manager



-----Original Message-----
From: James Baumgardner [mailto:jbaumgardner () primarycarenet org]
Sent: Thursday, June 26, 2003 9:44 AM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Blocking Kazaa


I can't seem to find anything that isn't commercial (expensive) to help
me out with this, so I just have to monitor, slap hand, monitor ...
Rinse ... Repeat. =20

I would love to hear if someone has a way to block it with a PIX.

-----Original Message-----
From: Dante Fressone [mailto:FressoneD () officenet com]=20
Sent: Wednesday, June 25, 2003 1:21 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Blocking Kazaa


Hi, I want to block kazaa from my pix fw blocking port 1214 TCP, but it
seems like it's using port 80 now,,,,and I can't drop that port because
web wont work.....


Any ideas?


Thanks!


Dante Fressone
Networking
e-mail: fressoned () officenet com
Tel: 54-(11)-4126-2728

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest



--
Boni Bruno, CISSP, IAM
Chief Technology & Security Officer
P:818.226.1773 F:818.883.4604
6110 Variel Avenue, Woodland Hills, CA
www.dsw.net
_____________________________________________________

Data Systems Worldwide






_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Blocking Kazaa, (continued)
- Re: Blocking Kazaa Paul Armstrong (Jun 26)
  - Re: Blocking Kazaa Bruce Smith (Jun 26)
- RE: Blocking Kazaa Danny Salinas (Jun 27)
- Re: Blocking Kazaa Paul Robertson (Jun 27)
- RE: Blocking Kazaa Steven Alexander (Jun 26)
- RE: Blocking Kazaa James Baumgardner (Jun 27)
  - RE: Blocking Kazaa peter robinson (Jun 27)
  - RE: Blocking Kazaa Daniel Howe (Jun 27)
- RE: Blocking Kazaa James Cutter (Jun 27)
- RE: Blocking Kazaa Whiteside, Larry [contractor] (Jun 27)
- Re: Blocking Kazaa Boni Bruno (Jun 27)
- RE: Blocking Kazaa Jeff Falgout (Jun 27)