Using Firewalls to Block Spyware? 72
MartinMotor asks: "I'm a Network Administrator for a company with approximately 200 users, and we just installed a shiny new PIX. Being the resourceful network geek type, I immediately started adding deny statements to kill off access to places where people can download evil cursed programs like HOTBAR. Is there anywhere out there where people like me are maintaining a list of IPs for spammers, spyware progs, and pop-uppers to add to our firewalls? I can't be the first person to have this idea."
spybot search and destroy (Score:5, Informative)
http://security.kolla.de/
Re:spybot search and destroy (Score:4, Informative)
Re:spybot search and destroy (Score:2)
Off topic: Using sort(1) portably (Score:2, Interesting)
The "-u" flag to sort(1) only works on systems that implement the XPG4 standard. If you want to write portable shell scripts, you'll need to call uniq(1). Unfortunately for us script writers, not all the world uses GNU textutils.
HTH. HAND.
Congratulations (Score:1)
Re:Congratulations (Score:2)
sort * | uniq
Re:Congratulations (Score:2)
Firewall policy (Score:5, Informative)
Re:Firewall policy (Score:2)
Re:Firewall policy (Score:4, Insightful)
Any half-wit administrator should be filtering all outbound traffic, to just the ports NEEDED for the business to function (in many cases, that means the internal equipment must use the proxy for everything, or they can forget about connecting to the net). Everything else should run through a proxy/caching server, or an internal SMTP relay server. I've yet to come across any application that I've permitted my users to install, which was unable to work with a proxy server.
Not only does a proxy/caching/relay server greatly speed up overall internet access, but it allows for the company to fully log where an employee goes online, and better control their use of the net. In the event of any legal issues, the company can use those logs for either defense or prosecution.
Effective egress filtering also prevents employees (or even a virus or trojan) from using your internet connection to send spam, attack others, and anything else that the business does not need the employee to do.
If there's something wrong with your proxy server - that's likely the admin's fault, or a POS proxy server. I don't know what you use, but the squid proxy/caching server is one that I've used extensively in many environments, and it has performed without issue for quite some time.
Are you aware that most IM sessions are not encrypted, all chat messages are passed through servers that you do not and cannot control, and therefore are not secure by any stretch of the imagination. You open that barn door, and I guarantee you your users will quickly forget whatever you told them about the insecurity, and starting sending confidential and/or proprietary information via the chat tools.
A specific list of websites - well, we actually do. Mozilla/Netscape can go anywhere on the net, but IE is restricted to just a few business related sites. This works very well to curtail user's access to potentially hazardous sites, without impacting their ablity to function.
Re:Firewall policy (Score:2)
I still say egress filtering is a nuicance to people who know what they're doing, but I guess it is a necessary evil against people who think they know what they're doing, and
Re:Firewall policy (Score:1, Insightful)
These rules are very likely there for a good reason. I'm sure the admins are willing to listen to a good, well thought out argument against the filtering of something (I know I would).
My rule basically goes like this; if you can present to me a good (mana
The ones who claim to know (Score:2)
I once read, the more you know, the more you know there is to know, the less you really know.
Re:Firewall policy (Score:2)
Re:Firewall policy (Score:2)
Re:Firewall policy (Score:2)
Nah. Get one of those hardware recovery cards.
http://www.google.com/search?num=100&hl=en&lr=& i e= ISO-8859-1&safe=off&edition=&q=card+%22hardware+re covery%22
http://www.magiccard.ca/MCnews/apex_summary.htm
http://www.pnltools.com/printproduct.asp?producti d =196
It doesn't stop a trojan from screwing up a user's files. Or exploiting other hosts on the network while the exploited PC is up. But reboot and most things are fine, just restore use
Yes and No. (Score:2)
If you are a stone-cold IP expert, that is, you can name at least thirty ports and their uses off the top of your head, you know exactly why DirectX v7 doesn't NAT properly, you are intimate with the ICMP packet structure, you know why FTP uses more than one channel (and how to proxy that) you are qualified to do this.
If you aren't an expert, and you set up a firewall for an existing site using the philoso
Re:Yes and No. (Score:3, Insightful)
Why doesn't DirectX v7 (presumably you are referring to the DirectPlay NetCode) NAT properly? I found some answers on DXport [puffinsoft.com], which claims to be able to force DX7 and 8 games to work with NATs. Seems the protocol isn't that broken with regards to NATing.
Why must certain types of ICMP be allowed? Is "port unreachable" really necessary, or can connections to unreachable ports simply time out? Echo certainly isn't necessary. As for FTP, passive mode is preferred as it allows connections to
Re:Yes and No. (Score:2)
OUCH! Hey, cut that out.
Let me give you an example: If you are playing SMACX (Sid Meier's Alpha Centauri, Alien Crossfire expansion, which is a typical v7 multiplayer game) with players on both the inside (RFC1918 10.xxx addressing)
pix spam blocking (Score:3, Interesting)
And don't forget those weather news download sites and gotomypc.com!!!!
If you need some starter lists drop me a note.
Maybe these? (Score:4, Informative)
As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.
Gryftir
Death to all Fanatics!
Loading spyware on a test machine (Score:1)
On that topic, an instance of VMWare [vmware.com] works great for providing a test "victim workstation" on which to install spyware, document the filesystem and network behavior, and easily revert back to a clean system with a minimum of effort.
It's even possible to execute two or more identical test systems on their own private "ethernet bridge" to watch the scanning and propagation behavior of a v
10 domains will kill 90% (Score:3, Informative)
The list itself is at the office, but maybe I'll reply to myself tomorrow.
Re:10 domains will kill 90% (Score:3, Informative)
Ideally, you don't do this on your PIX, but on your web proxy (you don't allow unauthenticated unproxied web browsing do you?) - a lot of DNS lookups could seriously impair your firewall. Also, I got better performance by noting and including all the subdomains below (like http://hotbar.com and http://www.
Re:10 domains will kill 90% (Score:1)
*.microsoft.com
Firewalls + a good policy (Score:3, Interesting)
Time wasters... (Score:5, Funny)
Re:Time wasters... (Score:5, Informative)
Re:Time wasters... (Score:2)
bash-2.05a$ host 66.35.250.150
150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
150.0/24.250.35.
Yeesh, give these Mac kids a command line and they start goin nuts!
Re:Time wasters... (Score:2)
Although there is something amusing about being called a "Mac Kid".
Re:Time wasters... (Score:2)
Re:Time wasters... (Score:1)
C:\tracert slashdot.org
Tracing route to slashdot.org [66.35.250.150]
over a maximum of 30 hops:
Some spyware modifies firewalls to get through! (Score:3, Interesting)
The other way firewalls get bypassed is if the spyware uses something already given permission to tunnel out on a system, like a web browser spyware plug-in would. In that case, what chance do you have of stopping it but to remove it?
Re:Some spyware modifies firewalls to get through! (Score:2)
Re:Some spyware modifies firewalls to get through! (Score:2)
Re:Some spyware modifies firewalls to get through! (Score:2)
Re:Some spyware modifies firewalls to get through! (Score:2)
Re:Some spyware modifies firewalls to get through! (Score:3, Insightful)
Re:Some spyware modifies firewalls to get through! (Score:2)
Both types of firewall are needed - and with new ways for malicious apps to piggyback onto legitimate ones like Firehole [keir.net], an up-to-date personal firewall that can handle DLL injection (I believe the latest ZoneAlarm do
hosts file works well (Score:5, Informative)
Re:hosts file works well --- Sort of OT (Score:2)
Shutting the barn door (Score:3, Informative)
Blocking the Permissioned Media "trojan" (Score:2, Informative)
So I setup outbound deny rules on the firewall for those IP addresses and DNS servers related to Permissioned Media. That stopped the problem until they started to host the downloa
Careful... (Score:2)
Windows XP supports application signing (Score:1, Troll)
Personal Software firewall. (Score:2)
In addition, it is nice because I can stop Outlook Express from accessing images from HTML docs, and may programs with built in images for ads can have their ads blocked as well.
There are oth
I use a hosts file (Score:1)
http://www.froggy.com.au/mike.skinner/16bi
It blocks lots of adds, cookies, trackers and XXX sites. It might even block Slashdot images and adds
Add to your ban list: (Score:2, Funny)
http://www.slashdot.org
quick and diry way (Score:1)
The easiest way to do this.. (Score:4, Informative)
Go from your current "Internal users can access anything they want" (default allow), to "Internal users can ONLY access what we allow" (default deny). The beauty of this is that you *don't* waste time tracking down various ports for each and every application you want to block. Nor do you have to worry about keeping up with the latest spyware-ridden P2P client crap to be released. The only thing it *won't* cover is applications using protocols you allow (such as using port 80 for data xfers in $P2PappName). You can cover this with more specific ACL's on a per-shittyFsckingMakeMyNetworkAdminLifeMiserableP
The PIX makes this very easy - matter of fact, we do this exact same thing at work.
First thing you need to do is take a list of all network applications (or protocols) that your users require to do their jobs. Things like FTP, WWW, SSH and the like. Next, you formulate your ACL list to be applied to the inside interface (or whatever name you gave to the interface your users sit on. It defaults to INSIDE with a security level of 100). Do this in a text file, and check it for sanity BEFORE you apply it to your PIX (otherwise you have irate users calling you 100 at a time, screaming that you broke $nameOfAppINeedToDoMyJob).
Once you have this list and you think it's complete, add a default deny rule to the bottom. Now before you go pointing out that PIX already has default-deny, you should STILL add this because the PIX won't log packets that hit its default deny - only packets that match an explicitly defined Default Deny ACL.
Very basic example ACL list:
access-list PERMIT_OUT permit tcp any any eq 80
access-list PERMIT_OUT permit tcp any any eq 21
access-list PERMIT_OUT deny any any (denys all other traffic from any source to any destiation on any port, and logs it)
The above will allow FTP and HTTP outbound for your users (you need to use protocol fixup on the FTP), and deny ALL other traffic! Problem solved, and it only takes about 10 minutes to do.
Simple but effective... (Score:2)
Denying all traffic while allowing only the bare minimum necessary is a good policy to implement on many levels. Here's some of the most important reasons why that are in my head right now (not necessarily in order of importance):
- increased security: not only are outsiders unable to see what you have running inside (obscurity), they simply can't get to it. What can't be reached, cannot be easily (i.e. directly) exploited
- simplifies management of rules: i
Re:Simple but effective... (Score:1, Funny)
-- The mgmt
Wierd FedEx (Score:2)
ip blocking (Score:1)
Your employees will undoubtedly spend way too much time there, and its full of a bunch of opinionated, undereducated tech geeks anyway!
Using DNS to block spyware, IM, etc (Score:2)
On these nameservers, override the zones for the biggest spyware domains and also for AIM, Yahoo Chat and the like, adding wildcard A records directing the request to the IP address of an internal machine running a HTTPd, or to 127.0.0.1.
The effect is twofold -- this will break 90% of the spyware programs, and you will have a log of all of the internal clien
Re:Using DNS to block spyware, IM, etc (Score:2)
In places where my clients were worried about spyware/trojans/web tracking/popups, I installed a split DNS with firewall rules blocking outgoing port 53 from all internal networks. The internal DNS server would only be allowed to contact the external, which would then perform the real world lookups. The internal server was made authoritative for hundreds (greps my master file, 322) domai