On Mon, 7 Apr 2003 [EMAIL PROTECTED] wrote: > how would you deal with blocking client side applications that masquerade > as other types of traffic? Such as clients that connect to remote hosts on > ports like 80, 22, 53, etc that your site allows out as legitimate traffic.
For anything pretending to be port 80, a proxy, transparent or otherwise, will be a big help. Keep an eye on the proxy logs (via logcheck or some other means) and swat anything that looks like Kazaa traffic. Don't allow anything out to port 80 unless it has been through the proxy, and don't allow any port 80 inbound unless it's to your (properly secured) firewall. In fact, it's a general good idea to silently drop any incoming connections at the firewall which don't go to known services. That way, backdooring your servers becomes a much more interesting proposition... As for anything outgoing to well-known ports, consider whether your users need that service, and whether you can proxy it somehow. 53, for instance, can be supplied by an on-site caching DNS server (always a good idea *anyway*) and all other attempts to get out to port 53 dropped. As for 22 (SSH, for those reading who aren't familiar) you'll need to consider whether your users should be SSHing to far-away places. In general, though, a firewall will not be able to make decisions about the contents of packets and whether they're "proper" traffic for the WKP or whether they're masquerading. You'd need a layer 7 firewall for that - not a particularly entertaining prospect. Proxies will generally salve your ills in a lot of cases, though. -- ----------------------------------------------------------------------- #include <disclaimer.h> Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16
