Part of our overall network security policy is to block streaming media. This is done in IE by running web traffic through a web cache server (which then blocks the known streaming sites).
However, I have found a loophole with Firefox that would allow users to stream media. I was thinking that we could use CSA to deny access for a Web browser to access a media plug-in or a streaming audio or video file, but I can not find a way to do this.
We tried making a rule to monitor when a Web browser invokes a Multimedia application, but that is only triggered if IE/Firefox actually OPEN a new application, whereas the plug-in does not trigger the rule. Any ideas?
After defining an application behavior as legitimate or malicious, the appropriate Cisco Security Agent response to the event needs to be configured. Cisco Security Agent can be configured to take a range of actions when an event occurs, such as denying the resource request, terminating the process, asking the user, allowing the behavior, logging, and sending alerts. Refer URL http://www.cisco.com/web/about/security/intelligence/05_10_Tuning-Cisco-Security-Agent.html#15
the problem is that I can't locate a way to isolate the behavior in CSA. I can't really set a CSA response if the rule won't catch the streaming media.
So far, I've targeted monitoring of web browsers invoking other applications, but this does not show me anything due to the streaming media. My next focus area is going to be COM objects. Any ideas what area the behavior might fall under in CSA?
You can make a Network Access Control List (NACL) rule that denies traffic to any ports of your choosing (then add this policy to a group that your hosts are in).
You could also create a file access control rule that denies browser (or any) access to the known streaming media plugins. That should keep it from working. Of course it would break all streaming media (we use it internally).
I'm curious, do you have a written policy that prohibits users from viewing streaming media? If so, you could create a query (default deny) rule rather than a straight deny and put the link to the policy (if it's online) in the query text.
That might get the users thinking about what they are doing.
Actually, as I was thinking about this, I realized this probably shouldn't be done through CSA, since CSA is meant to protect the network, not police the users...
The enforcement right now is that we have a list of known streaming media websites in our web cache server and so any traffic that goes through there will be blocked if it is trying to access that streaming site.
However, I discovered a loophole, since Firefox does not require users to go through the web cache server. Maybe I'll try the CSA implementation, just to see if it fixes the loophole.
Sure thing. I thought CSA was the best thing since sliced bread and made the mistake of telling others that it could prevent just about any program we wanted from running.
Now I have to manage that... *sigh*
But I am learning not to open my mouth and I also asked that our written policy support any technical 'enforcement' solution.
I didn't want to have to explain to someone why they couldn't do something they used to be able to do.
Now all I do is point them to the policy (and maybe explain some of the reasons why we have the policy too...).
After doing some research on this, it seems that streaming is very difficult to block at the firewall, especially since the streaming players have rollover protocols, and in the end HTTP is always available.
Here are the file extensions for common streaming formats:
Real Player - ra, rm, ram
Windows Media - asf, asx, wma, wmv, wmvhd
Quicktime - mov, mp4
Flash - swf, flv
Winamp - pls, m3u
To stop your employees from initiating streaming sessions, you can do the following:
- Create a new File access control rule
- Set action to Deny
- Select the Application classes to "Web browser applications" and "Multimedia applications". If you don't have these, you'll have to create your own application class containing: netscape.exe, netscp.exe, netscp6.exe, iexplore.exe, np.exe, opera.exe, firefox.exe, mozilla.exe, wmplayer.exe, mplayer2.exe, QuickTimePlayer.exe, realplay.exe, realjbox.exe, winamp.exe
- Set your files to:
I haven't tested this so I can't guarantee it will work, but I think it might be the right direction.
I have to make a correction. Don't use @local, as that applies to the IP addresses - instead, replace that with @fixed.
Sorry, I keep getting those mixed up. :P