• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Block Kazaa and MSN Messenger

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Block Kazaa and MSN Messenger Page: [1]
Login
Message << Older Topic   Newer Topic >>
Block Kazaa and MSN Messenger - 16.Mar.2004 12:13:00 AM   
jamesmackinnon

 

Posts: 8
Joined: 16.Mar.2004
From: Sydney
Status: offline
I am new to ISA and when I go with it on my network, I can't until 2004 comes out because I have more internal networks then what according to what I have read that ISA 2000 supports, Anyhow, My other desire to go with ISA 2004 is to block Kazaa and MSN Messenger.

I ideally, want to do this on the firewall without clients on the PC's because we don't run a client secure setup and our users have admin access on their systems so restricting access to a exe based on name can be renamed and launched busting that function..

Anyhow, both of these go out over port 80 if default not available..

I plan to only permit 80, 443 available to internet from client systems but need to kill these 2 apps.

Suggestions??
Post #: 1
RE: Block Kazaa and MSN Messenger - 16.Mar.2004 2:24:00 AM   
Lambera

 

Posts: 40
Joined: 5.Mar.2004
From: Washington
Status: offline
block msn by creating an access policy using the predefind msn rule and setting it to deny. You can sniff the traffic with netmon or ethereal and find the headers generated with those programs and deny based on headers.

(in reply to jamesmackinnon)
Post #: 2
RE: Block Kazaa and MSN Messenger - 16.Mar.2004 10:59:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

Kazaa is a particular pernicious application. I spent several hours with NetMon last week trying to figure out how to block it, and its not easy. It will be more simple with the access policy to allow only TCP 80 and TCP 443 outbound.

Tom

(in reply to jamesmackinnon)
Post #: 3
RE: Block Kazaa and MSN Messenger - 17.Mar.2004 3:30:00 PM   
jamesmackinnon

 

Posts: 8
Joined: 16.Mar.2004
From: Sydney
Status: offline
Ok, I will work on testing both in my lab today to see how it goes. Hopefully I can knock this down and open way for me to go to ISA.

Thanks for the replies

(in reply to jamesmackinnon)
Post #: 4
RE: Block Kazaa and MSN Messenger - 18.Mar.2004 7:06:00 PM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline
Hey bones;

You can use Isa 2000 in a network with multiple segments.

You have to define the NAT using all the segments in your local network and then create static routes for all those segments. On the internal network card you do not want a default gateway, leave it blank.

After this all you will need is only routers to route all LAN segments to the ISA.( I think you already have it)

In order talking all the Messenger (Microsoft) use port 1863. Version 4.7 is very suitable for control using ISA 2000 or 2004, but .NET Messenger and MSN Messenger 6.1 are a pain in the ...... because it still use 1863 to request connectivity to the public servers (Internet) but then all the traffic came back using port 80...:-(

Hope help

(in reply to jamesmackinnon)
Post #: 5
RE: Block Kazaa and MSN Messenger - 19.Mar.2004 2:12:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Raul,

Yes, but you can use the HTTP security filter in ISA 2004 to block them!

HTH,
Tom

(in reply to jamesmackinnon)
Post #: 6
RE: Block Kazaa and MSN Messenger - 19.Mar.2004 4:54:00 AM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline
Yep, that is right but I am working on this part, becuase when I used the HTTP filter, even with the web proxy, (I personally do not like that much the Secure Nat Client), the content filter for HTTP stop all HTTP that is not related with MSN Messenger or .NET Messenger.

I recognize I haven't play that much with the filter but I promise I will have this part solve for next week. (To busy installing content log for Messenger)

Thanks

I will post as soon get it to work

(in reply to jamesmackinnon)
Post #: 7
RE: Block Kazaa and MSN Messenger - 19.Mar.2004 5:07:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Raul,

I am also working on a project on how to use the HTTP Security Filter to block apps like Kazaa, MSN and Yahoo. I'll put it on this site when I'm done and we can compare notes!

Thanks!
Tom

(in reply to jamesmackinnon)
Post #: 8
RE: Block Kazaa and MSN Messenger - 21.Mar.2004 4:24:00 PM   
jamesmackinnon

 

Posts: 8
Joined: 16.Mar.2004
From: Sydney
Status: offline
yeah, right now I have 3 internal segments on my checkpoint FW in my datacentre and a total of 20 checkpoint firewalls on my national network.. I can't go with ISA 2000 because it only supports 2 internal segments (DMZ and internal).

I am flipping from checkpoint to ISA because of the integration and cost difference. Our checkpoint licenses cost us a ton of money every year and we need to cut costs like almost every other firm, and I believe ISA to be working into the same league with checkpoint as long as everything is hardened properly and you make the proper processes to get it together. I will be running snort infront of our ISA boxes as well.

Anyhow, I am not concerned about the basic setup of the segments and the firewall rules to lock down each segment, that is easy, my problem now comes with stupid software that tunnel over port 80. Personally, think its great on one side that they do this because alot of ISP's limit bandwidth over other ports so port 80 gets usually 80%+ the bandwidth the provider has (cable ISP I know does this), but it makes it a pain to block this stuff up.

Now I believe and wish that ISA had traffic shaping built in and that it had header rules already setup to be used to block the things people hate the most as I believe MSFT and other FW providers need to see the benifit to their customers more so and I can say with ISA 2004, MSFT is on the right track and congrats to them for this but with this say, here is what annoys me now and I still think it will

1. P2P software (A.K.A Network killers)
2. Trogans (We use tons of virus software but stuff happens)
3. IM Software
4. CEO access [Smile] Joking

thanks guys for your feed back on this

(in reply to jamesmackinnon)
Post #: 9
RE: Block Kazaa and MSN Messenger - 21.Mar.2004 5:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bones!

The CEO access is the worst!

I'm working on a header blocking study, and I know that MS is also working on this as well. There should be some good information out by the time the product releases on how to block the dreaded P2P and other scumwares using header information.

I agree regarding the checkpoint lics. The costs are really getting out of hand! And ISA is so much more cost effective and provides just about everything checkpoint does at a tiny fraction of the cost. Even if you add a third party bandwidth control app, it is still a lot less expensive.

If you're interested in bandwidth control, write to me and I can get you in touch with someone who might make your life a lot better with ISA 2004.

My address is tshinder@isaserver.org.

Thanks!
Tom

(in reply to jamesmackinnon)
Post #: 10
RE: Block Kazaa and MSN Messenger - 31.Mar.2004 9:35:00 PM   
jamesmackinnon

 

Posts: 8
Joined: 16.Mar.2004
From: Sydney
Status: offline
I have blocked MSN by only permitting 80, 443 outbound to clients and then setup the header of X-MSN-Messenger on the HTTP filter for that rule and then I applied that rule to All users except Network Admins. Network Admins will have the firewall client installed, but the rest will fall under the All users rule. Seems to work, well, messed up the Client by disabling the MSN app in the FW Client but will fix that next.

I would love to get some info on traffic shaping / bandwidth control

i will defently take you up on that offer you gave and email you shortly to get more details.

Thanks everyone.. This product is going to be great.

Actually, if anyone knows, We run A corporate Training company, and we would like to keep all of our classrooms segmented, we have some locations with 9 classrooms and you can't get 9 PCI cards in a box for 9 Nics, does anyone know of Multi-port Nics that each nic acts as a different Virtual Nic and can run on its own segment?

This would be great.. I would like to find cards with Dual's and Quad ports.. This is probably not a question for this site, but all part of networking eh:)

thanks again

(in reply to jamesmackinnon)
Post #: 11
RE: Block Kazaa and MSN Messenger - 1.Apr.2004 8:58:00 AM   
tad_braun

 

Posts: 101
Joined: 31.Dec.2003
Status: offline
Hello,

When it used to be Compaq Computers, we would order our servers with quad-port cards. I think HP may have stopped the line, but it may be worth checking into...

(in reply to jamesmackinnon)
Post #: 12
RE: Block Kazaa and MSN Messenger - 2.Apr.2004 1:08:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by bonesSydney:
I have blocked MSN by only permitting 80, 443 outbound to clients and then setup the header of X-MSN-Messenger on the HTTP filter for that rule and then I applied that rule to All users except Network Admins. Network Admins will have the firewall client installed, but the rest will fall under the All users rule. Seems to work, well, messed up the Client by disabling the MSN app in the FW Client but will fix that next.

I would love to get some info on traffic shaping / bandwidth control

i will defently take you up on that offer you gave and email you shortly to get more details.

Thanks everyone.. This product is going to be great.

Actually, if anyone knows, We run A corporate Training company, and we would like to keep all of our classrooms segmented, we have some locations with 9 classrooms and you can't get 9 PCI cards in a box for 9 Nics, does anyone know of Multi-port Nics that each nic acts as a different Virtual Nic and can run on its own segment?

This would be great.. I would like to find cards with Dual's and Quad ports.. This is probably not a question for this site, but all part of networking eh:)

thanks again

Hi Bones,

Great! There are a number of multihead NICs out there. Just to a quick Google and you'll find them.

HTH,
Tom

(in reply to jamesmackinnon)
Post #: 13
RE: Block Kazaa and MSN Messenger - 3.Apr.2004 3:03:00 AM   
dmorelos

 

Posts: 1
Joined: 3.Apr.2004
From: Los Angeles
Status: offline
1st of all ... great site ... very informative.

I'm somewhat familiar with blocking ports on the ISA 2000 server but this is all very new to me. I would like to also prevent access to MSN and Kazaa on our network. I'm great at following directions. Is there a step by step guide on how to "setup the header of X-MSN-Messenger on the HTTP filter" ?

quote: "Originally posted by bonesSydney:
I have blocked MSN by only permitting 80, 443 outbound to clients and then setup the header of X-MSN-Messenger on the HTTP filter for that rule and then I applied that rule to All users except Network Admins. Network Admins will have the firewall client installed, but the rest will fall under the All users rule. Seems to work, well, messed up the Client by disabling the MSN app in the FW Client but will fix that next.

I would love to get some info on traffic shaping / bandwidth control

i will defently take you up on that offer you gave and email you shortly to get more details.

Thanks everyone.. This product is going to be great.

Actually, if anyone knows, We run A corporate Training company, and we would like to keep all of our classrooms segmented, we have some locations with 9 classrooms and you can't get 9 PCI cards in a box for 9 Nics, does anyone know of Multi-port Nics that each nic acts as a different Virtual Nic and can run on its own segment?

This would be great.. I would like to find cards with Dual's and Quad ports.. This is probably not a question for this site, but all part of networking eh:)

thanks again"

(in reply to jamesmackinnon)
Post #: 14
RE: Block Kazaa and MSN Messenger - 10.Apr.2004 9:00:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi D,

Thanks!

I've put your suggestions for step by steps on my list, and ISAserver.org will have this information for you!

Thanks!
Tom

(in reply to jamesmackinnon)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Block Kazaa and MSN Messenger Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts