This is not a real option. The point is to block it at the firewall. In a company with a lot of users, its difficult to tell everyone to do this. The whole point is to take away the control of the users.
""White, Shanice"" wrote in message news:[EMAIL PROTECTED]... > in morpheus, if you go to tools, options and traffic, you can turn off your > file sharing. > > -----Original Message----- > From: Carroll Kong [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 27, 2001 2:34 PM > To: [EMAIL PROTECTED] > Subject: Re: Blocking Morpheus [7:21302] > > > At 11:48 AM 9/27/01 -0400, sam sneed wrote: > >Hello, > > I wanted to know if anyone knew how to block the Morpheus music sharing > >program at the firewall. I have a checkpoint firewall which has the > >following rules > >Internal net ---> Any allow all > >Any ---> Internet drop all > >I installed and ran Morpheus (a new kind of Napster from > >http://www.musiccity.com/ ) > Within an hour other users were downloading > >MP3's off my workstaion which should have been firewalled. > >I know that the program starts a TCP server on port 1214. This should be > >blocked by the firewall. Anyone know how this works and how it could be > >blocked, monitored, or controlled? > > > >sam sneed > A few possibilities. I never used Morpheus, but I can only guess at what > the software did. > > You initiated an open connection to Mr. Morpheus. The firewall opens up > the connection for you to go out, and has a state table to make sure your > ACK packets can now come back in. Mr. Morpheus has a full TCP connection > and can send whatever information it likes. Since you do not have the > source code for the client, you do not know what the client is doing. So > let us assume the worst. As long as Mr. Morpheus can tell your server, in > band through the TCP connection channel wise, to open another outgoing, and > startup the service, it is going to fool your firewall. If your > client/host machine srcs from 1214 and goes to morpheus again, the firewall > will open the connection, and dynamically create a rule for return packets > to 1214. That is my best guess short of misconfiguration on your part. > > A variant of this is proxy features in a firewall where they dynamically > open up after seeing some data in the input stream. So, say you get some > HTML code with some nasty Irc DCC request that opens below 1024 or some > other higher port (some things run on higher ports and are still fairly > useful) and your firewall has an irc proxy, it will open up a port through > your firewall and voila. You now have a direct line to the outside. Of > course, any proxy method with some kind of embedding can do this. Scary, > eh? The silent trojan thanks to HTML based email software and random bad > web sites. Solution would be to use a web proxy that disables ridiculous > attempts in the HTML code stream. > > As to how to solve this? Do not use morpheus. Or, make a restrictive > outgoing policy. Internal net->Any allow all although is easy to write, > means if someone can trick your internal net, ala trojans, or weirdo > clients to open a port out. If it is cleverly written, they can subvert > your firewall since it has no idea he is being fooled when he sets up the > dynamic rules ala state tables. > > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21570&t=21302 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
