Blocking file sharing services 1

[Schroeder]

Is there a way to block all of the different types of file sharing services that might be running on my network? I'd rather these services weren't running behind our firewall. I believe I can successfully stop them by finding the port that they use and blocking traffic to that port. Is there a way to do this without having to find each of their port numbers and block each one individually? Can I just block an entire protocol? If so, which one?
Am I overreacting?

 

[jgercken]

Is it affecting your legit network traffic? This kind of stuff is also a legal issue. Companies have been fined for having MP3 libraries on their network. Some canned FW software automatically blocks these apps. Without one I don't think you can do anything but block the apps port numbers w/ out getting complicated but this is also an HR issue. It should be your corporate policy to not permit these applications and set a penalty for violation.

-Jeff ----------------------------------------
Wassabi Pop Tarts! Write Kellogs today!

 

[Schroeder]

The legal issues hadn't even occurred to me until I started researching these services. I've since informed folks that we can't have those servers running on our network. I don't think we'll have any trouble with anyone running one behind our back but I'd still like to block them just to be on the safe side. How would I detect one of those servers running on the network? Packet sniffing? Scan the commonly-used ports from outside the network?

I blocked the ports and that worked but it also seems to have blocked secure socket connections. Folks can't log on to banking sites or Hotmail etc. Does this make sense or have I just misconfigured my router?

 

[ccie9545]

how do you have the router configured, and which services are you trying to block?

YOu mentioned that you are running a firewall, are you blocking the services on the firewall or on the router....

You should just be able to block the services on the firewall and it shouldn't affect the hotmail's etc. assuming that you are blocking the port number of the services.

We block port numbers, and log them to a server to ensure that policies are followed. Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[pansophic]

I would hope that your default firewall policy is DENY ALL, and that you are only enabling the services that you must have. Doing a default ACCEPT ALL and denying only what you know about is the eqivalent of locking the front door, but leaving the windows and sliding glass door wide open.

You shouldn't need to do anything to your ruleset to block these services. Typical rulesets should allow HTTP out, HTTPS out, SMTP out (from your mail server's IP only), SMTP in (to your mail server only), HTTP in (to your web server only), FTP out and FTP Data out. Optionally, you might allow POP, POPS, SMTP (from anyone) and IMAP out, and HTTPS in (if you have an SSL server, again only to your web server).

Other than that, I would only add services for which there is a business need. I can't see any of the peer-to-peer network services falling into this category.

pansophic

 

[Schroeder]

It's a router/firewall "appliance". My first attempt has been to allow all protocols out and allow traffic through all ports except known file-sharing ports. As I said before, this worked to stop file sharing but also put the kibosh SSL connections.. or at least, that's my conclusion of what happened. Either way, folks were unable to access legitimate secure sites.
When I say I'm allowing these protocols and ports, the firewall still doesn't accept unsolicited outside connections on these ports, it's just allowing them to go out from the inside. We don't run any servers that need internet access behind the firewall and it remains closed to all incoming requests... at least as long as I can keep these file sharing services shut down.

So, blocking the ports works but, it appears that at least some of the file sharing services may allow the user to specify the port they want to use. What's to keep a user from just using a different port? I can't block all ports... can I?

(moments later...)
Well, I decided to find out and blocked all ports over 100 and, like before, browsing, email, FTP.. that sort of stuff works but I cannot establish an SSL connection.

 

[pansophic]

You don't want to block all ports over 100. After all, HTTPS is on 443, and POP is on 110.

I would block all outbound destination ports except the following list:

20 ftp data
21 ftp
25 smtp
80 http
110 pop
443 https

You may have some issues with passive ftp, but I'd have to refresh my memory on how that works. I believe that it opens an ephemeral port (1024+) for data transfer, but I don't recall off hand.

pansophic

 

[Schroeder]

Yeah, my "100" mark was just a stab. I'm not familiar with all of the commonly used ports and didn't feel like doing the research for my test run.

OK, I started from scratch. I'm set to allow only useful ports. Everything seems to work fine, even SSL connections. Don't know what I did wrong the first time. I'm feeling more secure already...

If you've got another minute, would anyone care to share their thoughts on whether or not to allow instant messaging?

 

[pansophic]

Because of all of the recent holes found in the IM clients, and because I am not a user (nor do I desire to have my whereabouts known to the owners of the IM servers), I always block it. The only exception that I would make, would be if I had a hearing/speach impaired employee. It is one of the preferred methods of communication for the deaf and speach impaired community.

pansophic