Re: blocking kazaa
On Mon, 7 Apr 2003 trishl@platform.co.za wrote:
> how would you deal with blocking client side applications that masquerade
> as other types of traffic? Such as clients that connect to remote hosts on
> ports like 80, 22, 53, etc that your site allows out as legitimate traffic.
For anything pretending to be port 80, a proxy, transparent or otherwise,
will be a big help. Keep an eye on the proxy logs (via logcheck or some
other means) and swat anything that looks like Kazaa traffic. Don't allow
anything out to port 80 unless it has been through the proxy, and don't
allow any port 80 inbound unless it's to your (properly secured) firewall.
In fact, it's a general good idea to silently drop any incoming connections
at the firewall which don't go to known services. That way, backdooring
your servers becomes a much more interesting proposition...
As for anything outgoing to well-known ports, consider whether your users
need that service, and whether you can proxy it somehow. 53, for instance,
can be supplied by an on-site caching DNS server (always a good idea
*anyway*) and all other attempts to get out to port 53 dropped. As for 22
(SSH, for those reading who aren't familiar) you'll need to consider whether
your users should be SSHing to far-away places.
In general, though, a firewall will not be able to make decisions about the
contents of packets and whether they're "proper" traffic for the WKP or
whether they're masquerading. You'd need a layer 7 firewall for that - not
a particularly entertaining prospect. Proxies will generally salve your
ills in a lot of cases, though.
--
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer, Geek In Residence
http://ieee.uow.edu.au/~mjp16
Reply to: