RE: N00b Question

["Beauford, Jason" <jbeauford () EightInOnePet com>]

Indeed, multi-hosts are an issue.

But just as easy it is for a developer to add more hosts, it is just as
easy to change/add ports.

I am simply documenting a method that worked for me when trying to block
an application which uses a large amount of ports, but references a
single host to populate it's data:  ITUNES.

Also, there are port bouncers available to bypass firewall rules.  

A multi-layered approach is obviously the best.

JMB

-----Original Message-----
From: Scott Ladd [mailto:ladd.33 () shc ohio-state edu] 
Sent: Wednesday, January 05, 2005 4:01 PM
To: security-basics () lists securityfocus com
Subject: RE: N00b Question


The method you mention has man flaws, namely, multiple hosts. AIM for
instance, uses multiple IP address and ports for connecting. You would
have to block an IP Range for that matter. Setting up a firewall is your
best bet in the end. 

-SL

-----Original Message-----
From: Beauford, Jason [mailto:jbeauford () EightInOnePet com] 
Sent: Monday, January 03, 2005 8:30 AM
To: security-basics () lists securityfocus com
Subject: RE: N00b Question

No need to sit there and block ports.  Just block access to the hosts
these services connect to.

For instance I-Tunes:  I-Tunes has built in Internet Radio which can
suck up my bandwidth.  I use Websense to block HTTP and other ports.
However, I-Tunes uses a HUGE range of ports.  Sure you can block all of
those ports, but it's just much easier to block the site from which
I-Tunes gathers it's XML list of Radio stations.  Now the proggie just
errors out.

MSN and Yahoo Chat all connect to some remote host.  Install and fire up
Ethereal on your PC, Install these programs and sign in.  Check your
Ethereal Logs and you'll easily be able to identify which hosts those
programs are connecting to.

My $.02.  Happy New Year All!

JMB

-----Original Message-----
From: G.Crow [mailto:secure.computing () gmail com] 
Sent: Thursday, December 30, 2004 10:33 PM
To: security-basics () lists securityfocus com
Subject: RE: N00b Question


For blocking certain sites your best bet is a proxy of some sort,
presumably transparent.  Lots of people on this list will point you
towards Squid if you're looking in the open-source realm.  You *could*
block site IPs in your firewalls (PIX firewalls are almost all, if not
all, in the 500-scheme.  I haven't looked at the lineup recently.)  That
is, however, not a great solution for a variety of reasons.

If you are blocking the web-based email, why do you need to block the
ability to upload attachments?

For MSN/yahoo chat you can block the ports in your external firewall.
This will stop 95% of your users (possibly more if MSN/yahoo don't
accept connections on any port like AIM does.)  You can also see if your
infrastructure supports deep packet inspection - Cisco has a good
variety of capabilities regarding that, but I can't for the life of me
remember the acronym, and my Cisco books are in the office.  I avoid it,
myself, since it punts packets to the processor, but that doesn't matter
as much with a slower external link.

Quotas established for web surfing?  Do you mean accounting per computer
(he's been on the web *this* much today) or do you actually mean cutting
it off after a certain point per day?  Logging and log analysis is easy
enough, but true quotas would require authentication of some sort most
likely, and are probably more trouble then they're worth.  If bandwidth
is an issue I would just implement QoS and put port 80/443 traffic in a
low CoS.

Gabe

> -----Original Message-----
> From: Harshal Dedhia [mailto:harshal.dedhia () skybird-travel com]
> Sent: December 30, 2004 11:42 AM
> To: security-basics () securityfocus com
> Subject: N00b Question
>
> Hi,
> I am very new to the firewall and network security world. I have a
> situation wherein  I need to block webbased email access and the 
> ability to upload attachments to web-based email. I also need to 
> ensure that MSN/yahoo chat is disabled and quotas are established for 
> web surfing.
>
> Is there an Open Source solution to this problem. The network
> comprises Cisco Routers and 500 series firewalls.
>
> Cheers!
> Harshal