Determining which ports & protos to block - ACL's

[CartoonHair]

I am applying acls to the in interface inside blocking traffic from leaving the LAN. I am trying to stop any p2p services being invoked by the inside.

I can block certain server's w/ ip adddress.
Where can I find and keep up to date with the new p2p that seem to pop up everyday does anyone have a good source. For current servers for such services as Yahoo AIM MSN Messenger Kazaa Morph etc.etc. I have looked all over the cisco site and iana.org to no avail.
thx

 

[CartoonHair]

thanks for nothing

 

[yizhar]

HI.

This is a problem that many of us are trying to deal with, and it is not simple because many such applications like Kaza will use port 80 or even proxy server if needed.

A major line of action is to work at the OS level, in addition to the network configuration.
Limiting client permissions at the OS, using GPO and other management techniques can do part of the job.

Another thing is to define the company policy, and then publish it to users with notes on why this is bad for them and the company.
This will also limit the current and future problems.

For the network configuration - if you can implement a proxy server behind the pix and then block direct access of workstations, this will give you much better control.

Assuming that you currently don't have a proxy server, I suggest the following actions:
Use ACL that allows only the ports that you want (Don't allow all ports and block some, but block all and permit few).
If applicable, use syslog messages at level 6 to collect info about the traffic going throught the pix.
This info can help you later to find out what is going on.
An alternative is using a network sniffer that will be connected with a HUB to the inside pix interface and collect that info.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar