This issue comes up every once in a while, and not everyone will be polite in their answer. Consider yourself warned. I'll try to cover as many of the ideas as possible. You'll find plenty of info if you search the sec-basics archives.
#1) Policy. Make it corporate policy that these programs are not permitted even installed on corporate PCs, even for personal use outside of work (in case you have users who carry laptops home with them). This is the "easiest" method, but probably the least effective. But most importantly it provides recourse for an employee who ignores this policy. It is up to each individual company to decide the "punishment" for disobeying policy. #2) Control program installations. If you are running Win2K, this is fairly easy with the group policies and what not. If you have other OSes, then you should be able to purchase (assuming that's an option) applications such as Fortress that will lock down access to a PC. They can be a pain to manage though. This is ultimately the most effective IMHO. #3) Filtering at the Internet Gateway (firewall, proxy, etc.) Filtering ports is of little use. Most of these apps will fail-over to port 80 if their default ports are blocked. And I know for a fact that even most application layer firewalls will not actually block these guys over port 80. But you can filter the logon server IPS and/or domain names. Keep in mind, this will require occasionally checking them since they do tend to change every so often. You might be able to watch this by installing these apps on a demo machine locked in an MIS room where you can keep an eye on which servers it's trying to connect to. #4) IDS. This option is discussed less often, and would require maintenance as well, and more importantly, this would require #1 to be in use. But the idea would be to write a custom signature for each app (yes, that's a pain), then when your IDS sees a user using one of the applications, you go to his/her desk and uninstall it. Depending on the IDS system you're using, you might be able to use TCP Resets sent from the IDS to actually stop the connection, but there's a whole other barrel of issues with that. HTH, Brownfox -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, March 08, 2002 11:46 AM To: [EMAIL PROTECTED] Subject: Stopping File Sharing Programs... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, Our connection to the Internet these days is getting bogged down as quite a few users are using P2P progs to share/download files. Initially the problem was just one: Kazaa. We were able to stop user access to Kazaa by blocking the port 1214. Users currently use a whole set of filesharing programs.. Morpheus, Kazaa, Gnutella, Bearshare etc. etc. Yes, it is possible to keep track of the programs being used, block each one individually etc. Would there be some kind of a generic way to block such P2P progs? Regards Dhar - -- Smith & Wesson: The original point and click interface. pub 1024D/7AB2D05A 2002-02-24 Sumit Dhar (Sumit Dhar, SLMSoft.com) <[EMAIL PROTECTED]> Key fingerprint = 4A18 D20D 3D15 6C5B CD2F 8E45 B903 0C29 7AB2 D05A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8iOrFuQMMKXqy0FoRAgpfAKDjc+1pS5WZzzPXVYvV3zGJ7A+e/gCgn9sb 7xlaUITEO6mrErzFb8nxbGs= =vwcP -----END PGP SIGNATURE-----
