Block Kazaa and MSN Messenger (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Access Policies



Message


jamesmackinnon -> Block Kazaa and MSN Messenger (16.Mar.2004 12:13:00 AM)

I am new to ISA and when I go with it on my network, I can't until 2004 comes out because I have more internal networks then what according to what I have read that ISA 2000 supports, Anyhow, My other desire to go with ISA 2004 is to block Kazaa and MSN Messenger.

I ideally, want to do this on the firewall without clients on the PC's because we don't run a client secure setup and our users have admin access on their systems so restricting access to a exe based on name can be renamed and launched busting that function..

Anyhow, both of these go out over port 80 if default not available..

I plan to only permit 80, 443 available to internet from client systems but need to kill these 2 apps.

Suggestions??




Lambera -> RE: Block Kazaa and MSN Messenger (16.Mar.2004 2:24:00 AM)

block msn by creating an access policy using the predefind msn rule and setting it to deny. You can sniff the traffic with netmon or ethereal and find the headers generated with those programs and deny based on headers.




tshinder -> RE: Block Kazaa and MSN Messenger (16.Mar.2004 10:59:00 AM)

Hey guys,

Kazaa is a particular pernicious application. I spent several hours with NetMon last week trying to figure out how to block it, and its not easy. It will be more simple with the access policy to allow only TCP 80 and TCP 443 outbound.

Tom




jamesmackinnon -> RE: Block Kazaa and MSN Messenger (17.Mar.2004 3:30:00 PM)

Ok, I will work on testing both in my lab today to see how it goes. Hopefully I can knock this down and open way for me to go to ISA.

Thanks for the replies




Raul E Jimenez -> RE: Block Kazaa and MSN Messenger (18.Mar.2004 7:06:00 PM)

Hey bones;

You can use Isa 2000 in a network with multiple segments.

You have to define the NAT using all the segments in your local network and then create static routes for all those segments. On the internal network card you do not want a default gateway, leave it blank.

After this all you will need is only routers to route all LAN segments to the ISA.( I think you already have it)

In order talking all the Messenger (Microsoft) use port 1863. Version 4.7 is very suitable for control using ISA 2000 or 2004, but .NET Messenger and MSN Messenger 6.1 are a pain in the ...... because it still use 1863 to request connectivity to the public servers (Internet) but then all the traffic came back using port 80...:-(

Hope help




tshinder -> RE: Block Kazaa and MSN Messenger (19.Mar.2004 2:12:00 AM)

Hi Raul,

Yes, but you can use the HTTP security filter in ISA 2004 to block them!

HTH,
Tom




Raul E Jimenez -> RE: Block Kazaa and MSN Messenger (19.Mar.2004 4:54:00 AM)

Yep, that is right but I am working on this part, becuase when I used the HTTP filter, even with the web proxy, (I personally do not like that much the Secure Nat Client), the content filter for HTTP stop all HTTP that is not related with MSN Messenger or .NET Messenger.

I recognize I haven't play that much with the filter but I promise I will have this part solve for next week. (To busy installing content log for Messenger)

Thanks

I will post as soon get it to work




tshinder -> RE: Block Kazaa and MSN Messenger (19.Mar.2004 5:07:00 PM)

Hi Raul,

I am also working on a project on how to use the HTTP Security Filter to block apps like Kazaa, MSN and Yahoo. I'll put it on this site when I'm done and we can compare notes!

Thanks!
Tom




jamesmackinnon -> RE: Block Kazaa and MSN Messenger (21.Mar.2004 4:24:00 PM)

yeah, right now I have 3 internal segments on my checkpoint FW in my datacentre and a total of 20 checkpoint firewalls on my national network.. I can't go with ISA 2000 because it only supports 2 internal segments (DMZ and internal).

I am flipping from checkpoint to ISA because of the integration and cost difference. Our checkpoint licenses cost us a ton of money every year and we need to cut costs like almost every other firm, and I believe ISA to be working into the same league with checkpoint as long as everything is hardened properly and you make the proper processes to get it together. I will be running snort infront of our ISA boxes as well.

Anyhow, I am not concerned about the basic setup of the segments and the firewall rules to lock down each segment, that is easy, my problem now comes with stupid software that tunnel over port 80. Personally, think its great on one side that they do this because alot of ISP's limit bandwidth over other ports so port 80 gets usually 80%+ the bandwidth the provider has (cable ISP I know does this), but it makes it a pain to block this stuff up.

Now I believe and wish that ISA had traffic shaping built in and that it had header rules already setup to be used to block the things people hate the most as I believe MSFT and other FW providers need to see the benifit to their customers more so and I can say with ISA 2004, MSFT is on the right track and congrats to them for this but with this say, here is what annoys me now and I still think it will

1. P2P software (A.K.A Network killers)
2. Trogans (We use tons of virus software but stuff happens)
3. IM Software
4. CEO access [Smile] Joking

thanks guys for your feed back on this




tshinder -> RE: Block Kazaa and MSN Messenger (21.Mar.2004 5:17:00 PM)

Hi Bones!

The CEO access is the worst!

I'm working on a header blocking study, and I know that MS is also working on this as well. There should be some good information out by the time the product releases on how to block the dreaded P2P and other scumwares using header information.

I agree regarding the checkpoint lics. The costs are really getting out of hand! And ISA is so much more cost effective and provides just about everything checkpoint does at a tiny fraction of the cost. Even if you add a third party bandwidth control app, it is still a lot less expensive.

If you're interested in bandwidth control, write to me and I can get you in touch with someone who might make your life a lot better with ISA 2004.

My address is tshinder@isaserver.org.

Thanks!
Tom




jamesmackinnon -> RE: Block Kazaa and MSN Messenger (31.Mar.2004 9:35:00 PM)

I have blocked MSN by only permitting 80, 443 outbound to clients and then setup the header of X-MSN-Messenger on the HTTP filter for that rule and then I applied that rule to All users except Network Admins. Network Admins will have the firewall client installed, but the rest will fall under the All users rule. Seems to work, well, messed up the Client by disabling the MSN app in the FW Client but will fix that next.

I would love to get some info on traffic shaping / bandwidth control

i will defently take you up on that offer you gave and email you shortly to get more details.

Thanks everyone.. This product is going to be great.

Actually, if anyone knows, We run A corporate Training company, and we would like to keep all of our classrooms segmented, we have some locations with 9 classrooms and you can't get 9 PCI cards in a box for 9 Nics, does anyone know of Multi-port Nics that each nic acts as a different Virtual Nic and can run on its own segment?

This would be great.. I would like to find cards with Dual's and Quad ports.. This is probably not a question for this site, but all part of networking eh:)

thanks again




tad_braun -> RE: Block Kazaa and MSN Messenger (1.Apr.2004 8:58:00 AM)

Hello,

When it used to be Compaq Computers, we would order our servers with quad-port cards. I think HP may have stopped the line, but it may be worth checking into...




tshinder -> RE: Block Kazaa and MSN Messenger (2.Apr.2004 1:08:00 AM)

quote:
Originally posted by bonesSydney:
I have blocked MSN by only permitting 80, 443 outbound to clients and then setup the header of X-MSN-Messenger on the HTTP filter for that rule and then I applied that rule to All users except Network Admins. Network Admins will have the firewall client installed, but the rest will fall under the All users rule. Seems to work, well, messed up the Client by disabling the MSN app in the FW Client but will fix that next.

I would love to get some info on traffic shaping / bandwidth control

i will defently take you up on that offer you gave and email you shortly to get more details.

Thanks everyone.. This product is going to be great.

Actually, if anyone knows, We run A corporate Training company, and we would like to keep all of our classrooms segmented, we have some locations with 9 classrooms and you can't get 9 PCI cards in a box for 9 Nics, does anyone know of Multi-port Nics that each nic acts as a different Virtual Nic and can run on its own segment?

This would be great.. I would like to find cards with Dual's and Quad ports.. This is probably not a question for this site, but all part of networking eh:)

thanks again

Hi Bones,

Great! There are a number of multihead NICs out there. Just to a quick Google and you'll find them.

HTH,
Tom




dmorelos -> RE: Block Kazaa and MSN Messenger (3.Apr.2004 3:03:00 AM)

1st of all ... great site ... very informative.

I'm somewhat familiar with blocking ports on the ISA 2000 server but this is all very new to me. I would like to also prevent access to MSN and Kazaa on our network. I'm great at following directions. Is there a step by step guide on how to "setup the header of X-MSN-Messenger on the HTTP filter" ?

quote: "Originally posted by bonesSydney:
I have blocked MSN by only permitting 80, 443 outbound to clients and then setup the header of X-MSN-Messenger on the HTTP filter for that rule and then I applied that rule to All users except Network Admins. Network Admins will have the firewall client installed, but the rest will fall under the All users rule. Seems to work, well, messed up the Client by disabling the MSN app in the FW Client but will fix that next.

I would love to get some info on traffic shaping / bandwidth control

i will defently take you up on that offer you gave and email you shortly to get more details.

Thanks everyone.. This product is going to be great.

Actually, if anyone knows, We run A corporate Training company, and we would like to keep all of our classrooms segmented, we have some locations with 9 classrooms and you can't get 9 PCI cards in a box for 9 Nics, does anyone know of Multi-port Nics that each nic acts as a different Virtual Nic and can run on its own segment?

This would be great.. I would like to find cards with Dual's and Quad ports.. This is probably not a question for this site, but all part of networking eh:)

thanks again"




tshinder -> RE: Block Kazaa and MSN Messenger (10.Apr.2004 9:00:00 PM)

Hi D,

Thanks!

I've put your suggestions for step by steps on my list, and ISAserver.org will have this information for you!

Thanks!
Tom




Page: [1]