Re: Killing Napster and beyond...

["Bruce M. Walker" <bmw () borderware com>]

Chris Cappuccio wrote:
> I am opposed to this sort of blocking as a policy for several reasons, 

So am I, but there are times...


>  | I was curious how others are handling these.  Has anyone been successful 
>  | in blocking these programs?  Is anyone else concerned about them?
>
> Maybe a couple of universities who see Napster-type services as a large
> percentage of their traffic... For the most part, the only people I can
> imagine who would be concerned about this are the same people who are
> concerned about blocking porn on the web and that sort of stuff.
 
T'ain't necessarily so.  I was, for a couple of years, in charge
of the data needs of a small multi-national co.  In particular I
had to get telnet sessions into an HP server for access to the
central MIS system (A/R, G/L, sales, manu, etc.).  Telnet is *not*
b/w intensive.  My solution for that was to create a star of VPN
tunnels by buying connections from UUNET and setting-up small "brick
wall" f/w's in Paris, Atlanta, Pittsburg, etc and tunneling IPsec
to Toronto where the HP is.  F/w rules allowed most any other protocol
out (stateful pkt filter) for staff to web browse, et al.

All went well until I started to get reports of "really slow access"
and timeouts from Paris.  Oh gawd, "slow access"; what can that
mean?  Long story made short: napster running on hosts in Paris
was consuming *all* the bandwidth during the day.

I changed the rules to *only* allow web (assume port 80), SMTP, SSH
and telnet traffic.  Problem solved, acounting goes back to work,
suits are happy.

Should have solved the problem as a people problem, you say?  You
sir, have never dealt with the French. ;-)


> IP was designed to work around these sorts of limitations, not with them.

That is abundantly clear!

-bmw

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards