[44976] in North American Network Operators' Group
RE: Blocking Internet Gaming
daemon@ATHENA.MIT.EDU (Dominic J. Eidson)
Sun Jan 6 20:44:51 2002
Date: Sun, 6 Jan 2002 19:44:16 -0600 (CST)
From: "Dominic J. Eidson" <sauron@the-infinite.org>
To: Todd Suiter <todd@s4r.com>
Cc: James <james@james-web.net>, 'Walter Gray' <wgray@wwns.net>,
<nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.33.0201061718550.24525-100000@sashimi.space4rent.com>
Message-ID: <Pine.LNX.4.33.0201061934200.16672-100000@morannon.the-infinite.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 6 Jan 2002, Todd Suiter wrote:
> Problem with that is you can spec those ports pretty much at will. This came up
> on the focus-ids@securityfocus list last week. Policy is a good place to
> start. Make it obvious that your org does not approve of this type of thing.
> Then start looking at tcpdump output to find the ports/people, and go from
> there.
There was a similar discussion to this one back when I first joined
NANOG - anyways - to repeat my comment from back then..
I work for a healthcare network - for obvious reasons, we don't allow
incoming connections through our firewall. The interesting part is though,
that we also only allow limited access _out_ through our firewall - mainly
because back in the days when we first got the setup, $$$'s for internet
access were scarce, and in order to keep the traffic at reasonable rates
(not to saturate our connection), we had to limit traffic in some way.
The basic setup is disallow all outbound connections, save ports 20-21,
23, 109/110, 80 (with restiction, explanation follows) and 443.
The restrictions on port 80, is done using Checkpoint's HTTP Client Auth
agent - which authenticates through LDAP into NDS (we also restrict what
users are allowed outbound access - not everybody at a hospital needs
internet access).
This setup tends to stop most internet-based games ('cept http-based ones)
- and allows for nice monitoring of the remaining (allowed traffic). (We
log all traffic going through the firewall - And don't give me any grief
about violation of privacy.. big deal.)
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
