NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Block IM traffic under Checkpoint AI


  • To: [email protected]
  • Subject: Re: [FW-1] Block IM traffic under Checkpoint AI
  • From: "Laidlaw, Rob" <[email protected]>
  • Date: Wed, 10 Sep 2003 11:55:45 -0500
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcN3uTPeZIIEuBeAQ/Ki2uvR8cs7zwAABjrQ
  • Thread-topic: [FW-1] Block IM traffic under Checkpoint AI

Yes, I use it to block p2p.  First, the whole design of your security policy needs to be VERY restrictive in the first place, ie. only allowing certain ports outbound.  This is what I did to get this working.

1.  Define a network object that encompasses the machines that you want to stop P2P from (if not done already).
2.  Add a rule to your security policy that blocks the P2P/messenger apps that you want to stop from your workstation object you just created (AI comes with a lot of preconfigured services and some groups (messenger apps, p2p apps)
3.  Restrict the outbound access of the workstation object.  For example, if they don't need smtp or ftp-data, don't allow it out.  AIM and Yahoo will port switch to mock ftp-data, telnet, http, smtp and a whole bunch more.  There is no reason for some of those protocols to be coming from a workstation so you can safely block some (ie ftp-data), but be careful about blocking things your users need.

Now the next step is dependent on what you have configured in smart defense, either apply to all connection or apply to resources in the rule base.  I would suggest the resource route, you won't overburden your firewall and waste resources checking connections you don't care about.

4.  If you did select "apply to resources in the rule base" then you need to create a resource in the dashboard, a URI resource.  Name it, select "enforce Uri cap", connection method should have transparent selected, tracking is up to you, Uri match should have wildcards (a lot of this is default).  Under the match tab, http, and that was all I touched.  I left the other stuff defaulted, but that is up to you.
5.  Now that you have a resource, add a rule to your rule base (placing it where it will hit before the other allow rule for your WS but after the "deny messenger and p2p" rule).  Under service you should right click and do an add with resource and then choose http and on the bottom choose the resource you created.

WS ---  any --- any --- http->resource --- accept ---

If you selected log under tracking in the resource, you'll see a reject in tracker when the p2p or messenger app use port 80.  Otherwise, you'll see a drop when they hit your drop rule from step 2.  I found it works pretty well but it doesn't stop everything, so you'd be wise to invest in the smart defense update.  As new rules come out, it will update AI to check for new things.  I have found something using port 80 ( like earth station 5) that you'd need to create your own signature to catch.

Good luck

Rob


-----Original Message-----
From: Wayne Ho [mailto:[email protected]]
Sent: Wednesday, September 10, 2003 10:57 AM
To: [email protected]
Subject: [FW-1] Block IM traffic under Checkpoint AI


Does anyone use the AI feature to block IM traffic ?
Under SmartDefense -> HTTP protocol inspection ->
peer-to-peer, by default it defines AIM/MSN/Yahoo
Messenger. I turn them on to block these traffic for
proof of concept. However, the firewall still pass
through IM traffic. I also configured to perform
strict protocol enforcement, follow the article
sk20767. Still no luck. Any thought ?

Wayne

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Disclaimer - 09/10/2003
This information in this email is confidential and may be legally privileged. It is intended solely for Mailing list for discussion of Firewall-1.  Access to this Internet email by anyone else is unauthorized.

EnvestnetPMC, Inc. does not accept time-sensitive transactional messages, including orders to buy and sell securities, account allocation instructions, or any other instructions affecting a client account, via e-mail.

If you are not the intended recipient of this email, any disclosure, copying, or distribution of it is prohibited and may be unlawful.  If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies of it that were printed out.  When addressed to our clients, any opinions or advice contained in this email is subject to the terms and conditions expressed in any applicable governing EnvestnetPMC terms of business or agreements.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.