Blocking specific ports because they're "threats" sort of worked okay around 1995. In the Internet of the 21st century, it doesn't.
The Right Way(TM) to define a firewall policy is to block all traffic by default, and then open up what your organization actually needs. That way, you can get away with ignoring new threats unless they actually apply to stuff your organization does, instead of constantly putting out fires each time the building catches. David Gillett > -----Original Message----- > From: Jude Naidoo [mailto:[EMAIL PROTECTED] > Sent: July 26, 2003 09:06 > To: Jane Han; ALLEN, DONALD S (AIT); [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: where should I start? help! > > > Hi Jane > > What about other valid applications that could use either TCP > or UDP 554 ?? > > It may be more work, but wouldn't access to the streaming servers be > disallowed ? With most browser/streaming applications, you > can change the > proxy port or even the port to use for streaming audio/video. > > Pretty soon you could find yourself blocking loads of ports... > > Just my 2 cents worth... > > > Jude > > > ----- Original Message ----- > From: "Jane Han" <[EMAIL PROTECTED]> > To: "ALLEN, DONALD S (AIT)" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Friday, July 25, 2003 3:52 PM > Subject: RE: where should I start? help! > > > > Thank you so much for all your help. Finally, I found > > the problem. many streaming radio or video using port > > 554. > > > > If I want to block all streamimg radio or video on the > > PIX, > > > > can I use access-list 100 deny tcp any any eq 554 > > access-list 100 deny udp any any eq 554 > > > > Any other suggestions or concerns? > > > > Thanks again, > > > > Jane > > > > > > --- "ALLEN, DONALD S (AIT)" <[EMAIL PROTECTED]> wrote: > > > Show Conns or show conns? > > > Show Xlate or show xlate? > > > > > > And using the PDM web module are ways to get Pix > > > information without a > > > sniffer. > > > > > > > > > > > > -----Original Message----- > > > From: Jane Han [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, July 24, 2003 9:08 AM > > > To: Ben Hicks; [EMAIL PROTECTED]; > > > [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Subject: RE: where should I start? help! > > > > > > > > > Thanks for all help. If I want to find all traffic > > > on > > > the PIX internal interface, what should I do? using > > > sniffer? How do I position the sniffer? How can I > > > span port on the PIX or I have to do spanning on the > > > switch? > > > > > > Any suggestions or help will be highly appreciated. > > > > > > > > > switch ---PIX---external router > > > > > > The exernal router serial interface status as > > > follows: Serial0/0 is up, line > > > protocol is up > > > Hardware is DSCC4 Serial > > > Internet address is a.b.c.d/30 > > > MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, > > > reliability 255/255, txload 24/255, rxload > > > 235/255 > > > Encapsulation HDLC, loopback not set > > > Keepalive set (10 sec) > > > Last input 00:00:05, output 00:00:01, output hang > > > never > > > Last clearing of "show interface" counters 1d23h > > > Input queue: 0/75/0/0 (size/max/drops/flushes); > > > Total output drops: 0 > > > Queueing strategy: fifo > > > Output queue: 0/100 (size/max) > > > 30 second input rate 1424000 bits/sec, 230 > > > packets/sec > > > 30 second output rate 147000 bits/sec, 161 > > > packets/sec > > > 16859032 packets input, 2850828712 bytes, 0 no > > > buffer > > > Received 17055 broadcasts, 0 runts, 0 giants, 0 > > > throttles > > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 > > > ignored, 0 abort > > > 13720059 packets output, 3084799197 bytes, 0 > > > underruns > > > 0 output errors, 0 collisions, 0 interface > > > resets > > > 0 output buffer failures, 0 output buffers > > > swapped out > > > 0 carrier transitions > > > DCD=up DSR=up DTR=up RTS=up CTS=up > > > > > > > > > Thanks in advance, > > > > > > Jane > > > --- Ben Hicks <[EMAIL PROTECTED]> wrote: > > > > Hmm, So the firewall is performing the nat then. > > > > > > > > Just out of interest, what is the firewall doing? > > > > does it have any access > > > > lists on it ? > > > > > > > > Thanks, > > > > > > > > Ben > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Jane Han [mailto:[EMAIL PROTECTED] > > > > Sent: 15 July 2003 16:20 > > > > To: Ben Hicks; [EMAIL PROTECTED] > > > > Subject: RE: where should I start? help! > > > > > > > > > > > > Ben, > > > > > > > > I appreciate your answer. I enabled the IP > > > > accounting > > > > and the IP accounting only shows the destination > > > > address as public address (NAT). Is there a way > > > > that > > > > I can trace this public IP address (NAT) to > > > > the internal private IP address? > > > > > > > > Thanks, > > > > > > > > Jane > > > > > > > > --- Ben Hicks <[EMAIL PROTECTED]> wrote: > > > > > The interface is very heavily utilised on the > > > > > receiving of information - i.e > > > > > persons downloading. > > > > > > > > > > Your interface (at the time of the snapshit) was > > > > > very heavily utilised. > > > > > 188/255 RX suggest that your link is about 75% > > > > > utilised, which is very high. > > > > > > > > > > There are of course many other things that could > > > > be > > > > > attirbuting to the > > > > > problem, but I would start here. > > > > > > > > > > You could perhaps enable ip accounting to find > > > out > > > > > which IP addresses are > > > > > accessing the most amount of information. > > > > > > > > > > HTH > > > > > > > > > > Ben. > > > > > > > > > > -----Original Message----- > > > > > From: Jane Han [mailto:[EMAIL PROTECTED] > > > > > Sent: 08 July 2003 15:41 > > > > > To: [EMAIL PROTECTED] > > > > > Subject: where should I start? help! > > > > > > > > > > > > > > > Hi, all > > > > > > > > > > I am relatively new to this field. We have full > > > > T1 > > > > > but the internet speed is very slow. > > > > > Sometimes it's even slower than dial-up speed > > > when downloading > > > > > files. > > > > > E1 E0 E0 s0 > > > > > Switch --- PIX ------Cisco 2600 > > > > > Router------Internet > > > > > > > > > > (E1 and E0 are Ethernet Interface and S0 is > > > serial > > > > > interface) (please see the following status on > > > s0) > > > > > > > > > > Serial0/0 is up, line protocol is up > > > > > Hardware is QUICC Serial > > > > > Internet address is X.X.X.X/30 > > > > > MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec, > > > > > reliability 255/255, txload 26/255, rxload > > > > > 188/255 > > > > > Encapsulation HDLC, loopback not set > > > > > Keepalive set (10 sec) > > > > > Last input 00:00:02, output 00:00:00, output > > > > hang > > > > > never > > > > > Last clearing of "show interface" counters > > > never > > > > > Input queue: 0/75/9199/0 > > > > (size/max/drops/flushes); > > > > > Total output drops: 3307 > > > > > Queueing strategy: weighted fair > > > > > Output queue: 0/1000/64/3307 (size/max > > > > > total/threshold/drops) > > > > > Conversations 0/57/256 (active/max > > > > active/max > > > > > total) > > > > > Reserved Conversations 0/0 (allocated/max > > > > > allocated) > > > > > 30 second input rate 1510000 bits/sec, 235 > > > > > packets/sec > > > > > 30 second output rate 214000 bits/sec, 173 > > > > > packets/sec > > > > > 76598509 packets input, 1523011153 bytes, 0 > > > > no > > > > > buffer > > > > > Received 104544 broadcasts, 0 runts, 0 > > > > giants, > > > > > 0 > > > > > throttles > > > > > 1 input errors, 0 CRC, 1 frame, 0 overrun, > > > 0 > > > > > ignored, 0 abort > > > > > 66685034 packets output, 4044743843 bytes, > > > 0 > > > > > underruns > > > > > 0 output errors, 0 collisions, 1 interface > > > > > resets > > > > > 0 output buffer failures, 0 output buffers > > > > > swapped out > > > > > 0 carrier transitions > > > > > DCD=up DSR=up DTR=up RTS=up CTS=up > > > > > > > > > > I checked the S0 interface status on the > > > internet > > > > > === message truncated === > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! SiteBuilder - Free, easy-to-use web site design software > > http://sitebuilder.yahoo.com > > > > > -------------------------------------------------------------- > ------------ > - > > > -------------------------------------------------------------- > ------------ > -- > > > > > > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
