Using Firewalls to Block Spyware?

MartinMotor asks: "I'm a Network Administrator for a company with approximately 200 users, and we just installed a shiny new PIX. Being the resourceful network geek type, I immediately started adding deny statements to kill off access to places where people can download evil cursed programs like HOTBAR. Is there anywhere out there where people like me are maintaining a list of IPs for spammers, spyware progs, and pop-uppers to add to our firewalls? I can't be the first person to have this idea."

spybot search and destroy

[joFFeman]

comes with a HOSTS.TXT that you can extract the data from.

http://security.kolla.de/

Firewall policy

[Krandor3]

A firewall should be configured to deny everything and only allow through what is needed. Only open ports that you need to open. Stuff like pop-ups that run on port 80 (which you need to open for at least your squid proxy) are a different matter As for blocking pop-ups and stuff like that, those are best done on the proxy server. On my proxy, I block all ad related sites (doubleclick, etc) and it is real easy to do with squid. The downside is that on some sites (like cnn) you get java errors on some of their java code. Just tell the users to say "no" to the "do you want to execute more java code from this page" and it is fine. That is the configuration I use and it works fine.

Re:Firewall policy

Huh? Either this is a troll, or you just don't get it.

Any half-wit administrator should be filtering all outbound traffic, to just the ports NEEDED for the business to function (in many cases, that means the internal equipment must use the proxy for everything, or they can forget about connecting to the net). Everything else should run through a proxy/caching server, or an internal SMTP relay server. I've yet to come across any application that I've permitted my users to install, which was unable to work with a proxy server.

Not only does a proxy/caching/relay server greatly speed up overall internet access, but it allows for the company to fully log where an employee goes online, and better control their use of the net. In the event of any legal issues, the company can use those logs for either defense or prosecution.

Effective egress filtering also prevents employees (or even a virus or trojan) from using your internet connection to send spam, attack others, and anything else that the business does not need the employee to do.

If there's something wrong with your proxy server - that's likely the admin's fault, or a POS proxy server. I don't know what you use, but the squid proxy/caching server is one that I've used extensively in many environments, and it has performed without issue for quite some time.

Are you aware that most IM sessions are not encrypted, all chat messages are passed through servers that you do not and cannot control, and therefore are not secure by any stretch of the imagination. You open that barn door, and I guarantee you your users will quickly forget whatever you told them about the insecurity, and starting sending confidential and/or proprietary information via the chat tools.

A specific list of websites - well, we actually do. Mozilla/Netscape can go anywhere on the net, but IE is restricted to just a few business related sites. This works very well to curtail user's access to potentially hazardous sites, without impacting their ablity to function.

Maybe these?

[Gryftir]

Spy Sites
As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.

Gryftir
Death to all Fanatics!

Time wasters...

[(H)elix1]

I don't have a complete list, but you may want to add 66.35.250.150 to your IP blocks banned. I've seen way to much time lost to that one...

Re:Time wasters...

[muonzoo]

In case you can't figure it out; it's funny.

Welcome to Darwin!
bash-2.05a$ host 66.35.250.150
150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
150.0/24.250.35.6 6.IN-ADDR.ARPA domain name pointer slashdot.org

hosts file works well

[infonography]

Here is a copy of mine in Text format.