On 9 Feb 2001, at 10:31, D. Clyde Williamson wrote:
> Perhaps, someone on this list can see why 'blocking' stuff on the
> Internet is an effort in futility. Blocking Napster, turns IT security
> into a 'Technology Arms Race'. Who will win? No one. People will
> always find ways around the blocks, and you will always find ways to
> add more blocks. Marcus Ranum made it very clear when he said that you
> cannot use technical solutions to solve social problems. People
> downloading .mp3's from Napster at work would be a social
> problem. Instead of beating your head against your firewall, let HR
> deal with it. HR can make an official policy saying "No Napster" and
> you can simply monitor Napster activity from time to time, and send
> offenders to HR to be dealt with.
I totally agree here - we now have a policy that outlines what may be used on
the company network, and Napster and Gnutella are on the banned list. The
one person we had who sparked off our whole Napster/Gnutella "manhunt"
here managed to shift over 750Mb of MP3s in 3 days, and it was only by
trawling the firewall logs that we spotted it. All rules in the firewall were
bypassed - now I've had a chance to look at it I see that Napster
automatically changes ports to bypass FW rules and connections are
initiated from the client and so incoming rules don't apply. We now run Snort
and other packet sniffers to watch out for traffic for protocols we don't allow
and get alerts fired to all security admins when something suspicious is
found, and we're investigating the use of Snort to automatically close the
connection using the new ability to intercept the connection and send the
RST packets.
Dan
---
D.C. Crichton email: [EMAIL PROTECTED]
Senior Systems Analyst tel: +44 (0)121 706 6000
Computer Manuals Ltd. fax: +44 (0)121 606 0477
Computer book info on the web:
http://computer-manuals.co.uk/
Want to earn money? Join our affiliate network!
http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]