Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA - Deny Access for Streaming Media?

Part of our overall network security policy is to block streaming media. This is done in IE by running web traffic through a web cache server (which then blocks the known streaming sites).

However, I have found a loophole with Firefox that would allow users to stream media. I was thinking that we could use CSA to deny access for a Web browser to access a media plug-in or a streaming audio or video file, but I can not find a way to do this.

We tried making a rule to monitor when a Web browser invokes a Multimedia application, but that is only triggered if IE/Firefox actually OPEN a new application, whereas the plug-in does not trigger the rule. Any ideas?

8 REPLIES
Silver

Re: CSA - Deny Access for Streaming Media?

After defining an application behavior as legitimate or malicious, the appropriate Cisco Security Agent response to the event needs to be configured. Cisco Security Agent can be configured to take a range of actions when an event occurs, such as denying the resource request, terminating the process, asking the user, allowing the behavior, logging, and sending alerts. Refer URL http://www.cisco.com/web/about/security/intelligence/05_10_Tuning-Cisco-Security-Agent.html#15

New Member

Re: CSA - Deny Access for Streaming Media?

the problem is that I can't locate a way to isolate the behavior in CSA. I can't really set a CSA response if the rule won't catch the streaming media.

So far, I've targeted monitoring of web browsers invoking other applications, but this does not show me anything due to the streaming media. My next focus area is going to be COM objects. Any ideas what area the behavior might fall under in CSA?

Silver

Re: CSA - Deny Access for Streaming Media?

You can make a Network Access Control List (NACL) rule that denies traffic to any ports of your choosing (then add this policy to a group that your hosts are in).

Blue

Re: CSA - Deny Access for Streaming Media?

You could also create a file access control rule that denies browser (or any) access to the known streaming media plugins. That should keep it from working. Of course it would break all streaming media (we use it internally).

I'm curious, do you have a written policy that prohibits users from viewing streaming media? If so, you could create a query (default deny) rule rather than a straight deny and put the link to the policy (if it's online) in the query text.

That might get the users thinking about what they are doing.

Tom S

New Member

Re: CSA - Deny Access for Streaming Media?

Actually, as I was thinking about this, I realized this probably shouldn't be done through CSA, since CSA is meant to protect the network, not police the users...

The enforcement right now is that we have a list of known streaming media websites in our web cache server and so any traffic that goes through there will be blocked if it is trying to access that streaming site.

However, I discovered a loophole, since Firefox does not require users to go through the web cache server. Maybe I'll try the CSA implementation, just to see if it fixes the loophole.

Thanks.

Blue

Re: CSA - Deny Access for Streaming Media?

Sure thing. I thought CSA was the best thing since sliced bread and made the mistake of telling others that it could prevent just about any program we wanted from running.

Now I have to manage that... *sigh*

But I am learning not to open my mouth and I also asked that our written policy support any technical 'enforcement' solution.

I didn't want to have to explain to someone why they couldn't do something they used to be able to do.

Now all I do is point them to the policy (and maybe explain some of the reasons why we have the policy too...).

Tom S

New Member

Re: CSA - Deny Access for Streaming Media?

After doing some research on this, it seems that streaming is very difficult to block at the firewall, especially since the streaming players have rollover protocols, and in the end HTTP is always available.

Here are the file extensions for common streaming formats:

Real Player - ra, rm, ram

Windows Media - asf, asx, wma, wmv, wmvhd

Quicktime - mov, mp4

Flash - swf, flv

Winamp - pls, m3u

To stop your employees from initiating streaming sessions, you can do the following:

- Create a new File access control rule

- Set action to Deny

- Select the Application classes to "Web browser applications" and "Multimedia applications". If you don't have these, you'll have to create your own application class containing: netscape.exe, netscp.exe, netscp6.exe, iexplore.exe, np.exe, opera.exe, firefox.exe, mozilla.exe, wmplayer.exe, mplayer2.exe, QuickTimePlayer.exe, realplay.exe, realjbox.exe, winamp.exe

- Set your files to:

@local\**\*.ra

@local\**\*.rm

@local\**\*.ram

@local\**\*.asf

@local\**\*.asx

@local\**\*.wma

@local\**\*.wmv

@local\**\*.wmvhd

@local\**\*.mov

@local\**\*.mp4

@local\**\*.swf

@local\**\*.flv

@local\**\*.pls

@local\**\*.m3u

I haven't tested this so I can't guarantee it will work, but I think it might be the right direction.

New Member

Re: CSA - Deny Access for Streaming Media?

I have to make a correction. Don't use @local, as that applies to the IP addresses - instead, replace that with @fixed.

Sorry, I keep getting those mixed up. :P

178
Views
11
Helpful
8
Replies