Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
11
Helpful
8
Replies

CSA - Deny Access for Streaming Media?

joseph.hamilton
Level 1
Level 1

‎08-24-2006 11:34 AM - edited ‎03-09-2019 04:00 PM

Part of our overall network security policy is to block streaming media. This is done in IE by running web traffic through a web cache server (which then blocks the known streaming sites).

However, I have found a loophole with Firefox that would allow users to stream media. I was thinking that we could use CSA to deny access for a Web browser to access a media plug-in or a streaming audio or video file, but I can not find a way to do this.

We tried making a rule to monitor when a Web browser invokes a Multimedia application, but that is only triggered if IE/Firefox actually OPEN a new application, whereas the plug-in does not trigger the rule. Any ideas?

Labels:
0 Helpful
8 Replies 8

aghaznavi
Level 5
Level 5

‎08-30-2006 11:01 AM

After defining an application behavior as legitimate or malicious, the appropriate Cisco Security Agent response to the event needs to be configured. Cisco Security Agent can be configured to take a range of actions when an event occurs, such as denying the resource request, terminating the process, asking the user, allowing the behavior, logging, and sending alerts. Refer URL http://www.cisco.com/web/about/security/intelligence/05_10_Tuning-Cisco-Security-Agent.html#15

0 Helpful

joseph.hamilton
Level 1
Level 1
In response to aghaznavi

‎08-30-2006 11:05 AM

the problem is that I can't locate a way to isolate the behavior in CSA. I can't really set a CSA response if the rule won't catch the streaming media.

So far, I've targeted monitoring of web browsers invoking other applications, but this does not show me anything due to the streaming media. My next focus area is going to be COM objects. Any ideas what area the behavior might fall under in CSA?

0 Helpful

jwalker
Level 3
Level 3
In response to joseph.hamilton

‎08-30-2006 12:00 PM

You can make a Network Access Control List (NACL) rule that denies traffic to any ports of your choosing (then add this policy to a group that your hosts are in).

0 Helpful

tsteger1
Level 8
Level 8
In response to jwalker

‎08-30-2006 03:31 PM

You could also create a file access control rule that denies browser (or any) access to the known streaming media plugins. That should keep it from working. Of course it would break all streaming media (we use it internally).

I'm curious, do you have a written policy that prohibits users from viewing streaming media? If so, you could create a query (default deny) rule rather than a straight deny and put the link to the policy (if it's online) in the query text.

That might get the users thinking about what they are doing.

Tom S

joseph.hamilton
Level 1
Level 1
In response to tsteger1

‎08-31-2006 11:53 AM

Actually, as I was thinking about this, I realized this probably shouldn't be done through CSA, since CSA is meant to protect the network, not police the users...

The enforcement right now is that we have a list of known streaming media websites in our web cache server and so any traffic that goes through there will be blocked if it is trying to access that streaming site.

However, I discovered a loophole, since Firefox does not require users to go through the web cache server. Maybe I'll try the CSA implementation, just to see if it fixes the loophole.

Thanks.

0 Helpful

tsteger1
Level 8
Level 8
In response to joseph.hamilton

‎08-31-2006 01:15 PM

Sure thing. I thought CSA was the best thing since sliced bread and made the mistake of telling others that it could prevent just about any program we wanted from running.

Now I have to manage that... *sigh*

But I am learning not to open my mouth and I also asked that our written policy support any technical 'enforcement' solution.

I didn't want to have to explain to someone why they couldn't do something they used to be able to do.

Now all I do is point them to the policy (and maybe explain some of the reasons why we have the policy too...).

Tom S

RichardSW
Level 1
Level 1

‎09-08-2006 11:09 PM

After doing some research on this, it seems that streaming is very difficult to block at the firewall, especially since the streaming players have rollover protocols, and in the end HTTP is always available.

Here are the file extensions for common streaming formats:

Real Player - ra, rm, ram

Windows Media - asf, asx, wma, wmv, wmvhd

Quicktime - mov, mp4

Flash - swf, flv

Winamp - pls, m3u

To stop your employees from initiating streaming sessions, you can do the following:

- Create a new File access control rule

- Set action to Deny

- Select the Application classes to "Web browser applications" and "Multimedia applications". If you don't have these, you'll have to create your own application class containing: netscape.exe, netscp.exe, netscp6.exe, iexplore.exe, np.exe, opera.exe, firefox.exe, mozilla.exe, wmplayer.exe, mplayer2.exe, QuickTimePlayer.exe, realplay.exe, realjbox.exe, winamp.exe

- Set your files to:

@local\**\*.ra

@local\**\*.rm

@local\**\*.ram

@local\**\*.asf

@local\**\*.asx

@local\**\*.wma

@local\**\*.wmv

@local\**\*.wmvhd

@local\**\*.mov

@local\**\*.mp4

@local\**\*.swf

@local\**\*.flv

@local\**\*.pls

@local\**\*.m3u

I haven't tested this so I can't guarantee it will work, but I think it might be the right direction.

RichardSW
Level 1
Level 1
In response to RichardSW

‎09-12-2006 06:29 AM

I have to make a correction. Don't use @local, as that applies to the IP addresses - instead, replace that with @fixed.

Sorry, I keep getting those mixed up. :P

0 Helpful
Customers Also Viewed These Support Documents