One of the most common questions I run into from ISA firewall admins is "how do I block streaming media?" In almost all cases where I or someone else knowledgeable about the ISA firewall gives an answer, the hapless ISA firewall admin walks away unsatisfied. Do I and other ISA firewall pros want to make life difficult for these people? No. The problem is that the problem of controlling streaming media is more complex than it might appear on first thought.
As you might already know, there are a small collection of streaming media protocols in common use today. These include:
At first look it might appear to be easy to block streaming media protocols. Just don’t create any rules that allow them. That’s easy to do for MMS, RTSP and PMN, but its not so easy for HTTP. Obviously, you can’t block HTTP, so we have to consider alternate methods to block streaming media moving over an HTTP application layer transport (note that HTTP is not a transport protocol, but we often refer to the application level protocol that carries the data as an application "transport").
There are a few options for controlling streaming media moving over the HTTP trasport. These include:
- Using the HTTP Security Filter to block headers used by the streaming media application
- Blocking connections to known streaming media sites
- Avoiding allow rules for streaming media sites. That is to say, you create allow rules for sites users are allowed to visit, and all other sites are denied
- Blocking the streaming media application using the Firewall client settings
- Blocking the Content Types used by streaming media applications
As you can see, there are a number of methods you can use to control streaming media protocols. However, one thing that doesn’t exist is a magic bullet. None of these methods by itself will allow you to block all streaming media connections. However, by using a combination of methods, you’ll be able to get the most control.
For those of you who don’t have time to figure out all the streaming media sites, or do the research required to use all of these mechanisms to block streaming media, I highly recommend that you look at Websense or SurfControl.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls