Blocking Orkut through Checkpoint

Advanced search

[rockysam39]

We are using NGX R60. I tried to block Orkut by creating a Rule where I have added our Network Address as Source, all orkut IP addresses (a Group of Nodes) as destination, for ANY service , to DROP packets & enabled LOG for this Rule.

I found the IP addresses for orkut from the websites - dnsstuff.com, network-tools.com, site24x7.com.

This rule successfully blocked Orkut until yesterday. However since this morning I see orkut is accessible directly by its URL.

I believe there is something I may be missing out with my set of rules. Can anyone suggest a better idea .

FYI.....I have used another Group for www.meebo.com in the same Rule and that blocks Meebo successfully ( at least until now ).

Please advise if anyone has any solution to this.

NOTE:- We are about to implement WebSense till then I want to achieve this via the Firewall.

[juve]

You can do this with a resource rule.

Go to resources -> http and add a new uri
Give it a name and go to the match tab
select scheme http
Select get method
add www.orkut.com in the host field
save

In your policy, create a rule before your internet access with the following structure :

source : your network
destination : any
service : right-click and select add with resource. Select http and set your created resource in the resource field
action : drop
Log the rule and push the policy.

Now, the http security server will inspect the url and if it sees www..orkut.com in the host, it will drop the connection.

[rockysam39]

HEY JUVE


U R MY MAN!!!!!!

That worked ....however I will keep this under observation for some time now and will get back to you if it still allows Orkut.

Earlier with my kind of Rule IE simply gave the PCBD error but now its even better as it gives an error - "<firewall name>: Access is Denied

I'm curious if there is a way to modify / customize this message.

I will continue with my R&D but I also hope to know from u if this possible.

[rockysam39]

Now I have another question.

Can we use some similar method to block the GTalk through both client and also the web-based one?

As per information from Google Developer page, and other sites , Gtalk works over ports 5222 & 5223 but blocking that does not block Gmail chat because Gtalk continue to work over ports 80 & 443.

If anyone can suggest something more that will be really helpful.

[rockysam39]

Coming back to the Orkut blocking point.....

The moment I pushed the policy it did block Orkut however , suddenly an avalanche of Rejected  packets caused the CPU utilization to shoot up to 100% and the internet was blocked altogether as all packets were rejected by Rule 0 (which is a non-existent) rule.

I believe there was a conflict with an existing Rule that I had used to block orkut (The rule I described in my first post).

So I disabled that Rule & modified this new rule with only 3 Source IP. Orkut is blocked for these Sources but the packets are still rejected by the new Rule instead of dropping them.

Can you please advise what I may be doing incorrectly?
Also if you need some more information for analysis let me know

[juve]

most likely this is Smartdefense interfering. If you go to smartedefense, web intelligence, there should be an option to apply smartdefense only to connections related to uri resources. Can you check these configs? They are either in the web intelligence tab or in the smartdefense tab. Is there any info in the information field of the log?

[rockysam39]

Hi Juve

Thanks for the information. I will make these changes during non-business hours as I dont want to mess up the internet access (like i did yesterday).

However I have few more querries .

In SmartDefense Tab , Under Web Intelligence > HTTP Protocol Inspection ,  I can apply these changes in the following places

HTTP Format Sizes ( here I already set Max Header Value Length to 5000, as yesterday's logs indicated "Header exceeded 'max_header_length'.The length of one of the headers (3248) in the request exceeded the maximum allowed length (2100)."


ASCII Only Request

ASCII Only Response Headers ( which is Inactive in our Firewal )

Header Rejection

I have already enabled 'Apply to connections related to URI Resources' for Header Rejection & HTTP Format Sizes

Please advise where I should enable this b]'Apply to connections related to URI Resources' [/b]  setting

I also enabled 'http_allow_content_disposition' property to 'true' as suggested by the Log error for Rejected packets.

I will wait for your suggestions. I will push these changes in the non-business hours & update you wth the outcome.

THANKS A LOT IN ADVANCE FOR YOUR CONSULTATION 

[rockysam39]

Hi

I tried the above solution . But even after making all the changes as suggested the Firewall CPU usage shoots up immediately. There may be some other conflict that I need to take care of. Any help or suggestion will be appreciated.

Let me know if you need any of the log information from Rejected packets

[juve]

Hi,

What kind of hardware is the firewall running on? SmartDefense may become CPU intensive. Which HFA is running on the firewall?

What you can try is to disable the http protection, push the policy and if the CPU is OK, enable them one by one. Make sure you enable the HTTP format sizes to match only on URI resources.

[rockysam39]

The idea was really great it works as well but the Firewall cant seem to be able to take the load. Also I started seeing a lot of Rejected packets against Rules which should Drop the packets.

We are using a RESILLIENCE NDURANT 20
Version: NGX (R60) HFA_03, Hotfix 603
OS: Linux30 Version: 2.4


I have disabled the other Rules and kept only the one Rule for Orkut to eliminate the possibility of any conflict between two Rules but to no effect.

[juve]

I tried in a test setup to block it using a domain object, but that doesn't seem to work. Which IP address(es) did you block for orkut?

[rockysam39]

I had tried to block orkut following the instructions as you had mentioned -


Go to resources -> http and add a new uri
Give it a name and go to the match tab
select scheme http
Select get method
add www.orkut.com in the host field
save

In your policy, create a rule before your internet access with the following structure :

source : your network
destination : any
service : right-click and select add with resource. Select http and set your created resource in the resource field
action : drop
Log the rule and push the policy.


By doing this the entire internet traffic was blocked with everything Rejected. So I got rid of that Rule completely.Now I also have SmartDefense disabled so that such a havoc does not happen.

I think I will have to look for Websense for this rather than trying to act smart with SmartDefense

• Articles
• Knowledge base