blocking or at least logging streaming audio?

Dman33 · 08-19-2007, 12:37 PM

I hope I am posting this in the right place, my apologies if not.

I have the untangle box set up as a bridge between my LAN and the edge router. I would like to monitor or block all streaming audio such as AOL Radio, Shoutcast and so on. So far I cannot find any settings that can do this in the Protocol Control and the Web Filter. Has anybody been successful at this? It is starting to really eat up a lot of our bandwidth and we cannot afford to have that traffic anymore.

Will I be able to at least see this traffic in the reports when they are available?

Thanks!

mdh · 08-20-2007, 10:36 AM

Dman33,

This is an interesting one, plus I got to listen to my favorite blues song of all time while I was figuring out an answer. THANK YOU! I believe your answer is a multiple parts and may still require some tuning on your part. The caveats are at the end of this, so please go all the way through.

In WEB CONTENT CONTROL, you can block audio and video file extensions. The list isn't complete, but it gets a lion's share of them. You can also block mime types, but the catch is that mime types may be omitted or specified incorrectly. They are used when a file extension can be processed in multiple ways and further specification is necessary. Common mime types are:

- "x-ms-wma" for Windows Media audio
- "x-ms-wmv" for Windows Media video
- "x-realaudio" for Real Audio
- "x-realaudio-plugin" for Real Audio embedded
- "video/x-ms-asf" for ASX files
- "application/x-ms-asf" also for ASX files
- "video/quicktime" for Quicktime movies
- "x-unagi-2" for AOL plugins (may or may not work)

Also, I dug into AOL Radio, and found that all streaming content is coming from servers at "music.aol.com" and "streamops.aol.com". If you put those servers on the BLOCK list, you must put "aol.com" on the PASS list ... otherwise, all of AOL would be off limits. That's your policy call. Considering how many videos are now being served up on the big portals and the popularity of YouTube, I wonder if the higher bandwidth requirements of video may be having more of an impact to you than video. You're in a better position to judge that.

Finally, the caveats that I hinted at earlier. Web server passing/blocking is based on standard (port 80) access. You're effectively blocking the interface to the music, not the music itself. You may have real needs to allow users access to certain types of audio/video, so further analysis and/or experimentation may be required to know where the right balance is. I hope this helps.

mdh · 08-20-2007, 10:56 AM

Dman33 ... an addition to my previous post.

Under PROTOCOL CONTROL, you can specifically block and/or log three types of streaming video as well as Shoutcast audio. You can also add protocols to this list as needed providing that you can get the protocol's signature. Please refer to the wiki page at http://wiki.untangle.com/index.php/Protocol_Control. Logging the traffic first to see where your biggest needs are would be the first step. Good luck!

Dman33 · 08-20-2007, 11:13 AM

Thanks for the detailed reply, mdh! Yes, it is a bit tricky to block exactly what you want to block without blocking necessary services. I think blocking the subdomain that AOL streaming uses may be helpful. I was hoping that there would be a protocol 'fingerprint' that would be helpful in filtering such traffic instead.

I'll go ahead and start monitoring traffic to/from the "music.aol.com" and "streamops.aol.com" servers to see what is going on there. Essentially, we are moving from being rather open with regards to what our IT usage policy to restricting thanks to the few bad apples in the bunch. I am in the middle of proposing to mgmt that we get a DSL line dedicated for HTTP/media from the LAN users thus leaving our T1s to business critical apps/services. Hopefully they will approve that so I do not have to appear so draconian to the users and my servers can be happy too.

Dman33 · 08-20-2007, 11:16 AM

Quote:

Originally Posted by mdh

Dman33 ... an addition to my previous post.

Under PROTOCOL CONTROL, you can specifically block and/or log three types of streaming video as well as Shoutcast audio. You can also add protocols to this list as needed providing that you can get the protocol's signature. Please refer to the wiki page at http://wiki.untangle.com/index.php/Protocol_Control. Logging the traffic first to see where your biggest needs are would be the first step. Good luck!

Ah, yes.. this wiki page has the answers for me. Hopefully I can just pinpoint exactly where the excessive bandwidth is coming from. So far I have found quite a few Limewire clients on the LAN.

Tomorrow the reports will be ready with some good usage numbers. Thanks again!

HomeNet · 04-25-2008, 09:33 AM

Well, I just ran into this sort of thing. I log almost everything I can think of. I'd rather have too much info than not enough. In any case, I looked through my reports the other day and saw some people were streaming audio. I block most of that but I'm sure some things get through... So, I added the site (http://www.977music.com/) to the block list and made sure I could get there. It seemed to do as I expected - block the page. However, I checked my logs today one user had almost 10,000 hits on this one site that I know was being blocked. Needless to say, I was curious and pissed at the same time! I remoted into the user's PC and saw that he had Windows Media Player open. None of the IE pages, that were open, were showing the blocked page. WMP was playing a playlist of some sort! After playing around I found that the guy had pulled down an ASX file and WMP was playing it just fine. I did some reading here and found that I wasn't the only one with this issue.

Well, I was able to block the downloading of this file type by checking the box for video/x-ms-asf in Web Filter > Block Lists > MIME Types. I couldn't find all the others listed above. I'm still using v5.0 so my list may be different from the older and newer versions. However, I can't stop a zip file, containing that file type, from getting through. Basically, I can't stop the file from streaming audio once it's in the building. Any ideas?

04-25-08
1132 EDT
Rob @ HomeNet

jtech · 05-06-2008, 07:48 AM

If you really wanted to crack down you could use GP (Group Policy) to disable access to windows media player. If you want to go that route, let me know and I'll post the info.

HomeNet · 05-06-2008, 08:17 AM

Quote:

Originally Posted by jtech

If you really wanted to crack down you could use GP (Group Policy) to disable access to windows media player. If you want to go that route, let me know and I'll post the info.

Unfortunately, these are all XP Home PCs and therefore I couldn't use GP if I wanted to. I didn't design the network, but I'm stuck with dealing with it.

05-06-08
1017 EDT
Rob @ HomeNet

jtech · 05-06-2008, 10:56 AM

Ah, I understand...GP can still be used, but it would be a pain in the rear to maintain.

sky-knight · 05-06-2008, 12:48 PM

Yeah GP still works on home but you have to plug it into the local registries by hand.. not ideal. I guess it depends on how much free time you have?

08-19-2007, 12:37 PM	#1 (permalink)
Dman33 Newbie Join Date: Aug 2007 Posts: 5	blocking or at least logging streaming audio? I hope I am posting this in the right place, my apologies if not. I have the untangle box set up as a bridge between my LAN and the edge router. I would like to monitor or block all streaming audio such as AOL Radio, Shoutcast and so on. So far I cannot find any settings that can do this in the Protocol Control and the Web Filter. Has anybody been successful at this? It is starting to really eat up a lot of our bandwidth and we cannot afford to have that traffic anymore. Will I be able to at least see this traffic in the reports when they are available? Thanks!

04-25-2008, 09:33 AM	#6 (permalink)
HomeNet Master Untangler Join Date: Sep 2007 Location: West Chester, Pennsylvania, USA Posts: 158	Playlists! Well, I just ran into this sort of thing. I log almost everything I can think of. I'd rather have too much info than not enough. In any case, I looked through my reports the other day and saw some people were streaming audio. I block most of that but I'm sure some things get through... So, I added the site (http://www.977music.com/) to the block list and made sure I could get there. It seemed to do as I expected - block the page. However, I checked my logs today one user had almost 10,000 hits on this one site that I know was being blocked. Needless to say, I was curious and pissed at the same time! I remoted into the user's PC and saw that he had Windows Media Player open. None of the IE pages, that were open, were showing the blocked page. WMP was playing a playlist of some sort! After playing around I found that the guy had pulled down an ASX file and WMP was playing it just fine. I did some reading here and found that I wasn't the only one with this issue. Well, I was able to block the downloading of this file type by checking the box for video/x-ms-asf in Web Filter > Block Lists > MIME Types. I couldn't find all the others listed above. I'm still using v5.0 so my list may be different from the older and newer versions. However, I can't stop a zip file, containing that file type, from getting through. Basically, I can't stop the file from streaming audio once it's in the building. Any ideas? 04-25-08 1132 EDT Rob @ HomeNet

05-06-2008, 12:48 PM	#10 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 7 Posts: 7,722	Yeah GP still works on home but you have to plug it into the local registries by hand.. not ideal. I guess it depends on how much free time you have? __________________ Intouch Technology Rob Sandling, BS:SWE, MCP Office: 480-272-9889 rob@intouchtechllc.com

08-20-2007, 10:36 AM	#2 (permalink)
mdh Join Date: Aug 2007 URLs submitted: 171 Posts: 4,535	Dman33, This is an interesting one, plus I got to listen to my favorite blues song of all time while I was figuring out an answer. THANK YOU! I believe your answer is a multiple parts and may still require some tuning on your part. The caveats are at the end of this, so please go all the way through. In WEB CONTENT CONTROL, you can block audio and video file extensions. The list isn't complete, but it gets a lion's share of them. You can also block mime types, but the catch is that mime types may be omitted or specified incorrectly. They are used when a file extension can be processed in multiple ways and further specification is necessary. Common mime types are: - "x-ms-wma" for Windows Media audio - "x-ms-wmv" for Windows Media video - "x-realaudio" for Real Audio - "x-realaudio-plugin" for Real Audio embedded - "video/x-ms-asf" for ASX files - "application/x-ms-asf" also for ASX files - "video/quicktime" for Quicktime movies - "x-unagi-2" for AOL plugins (may or may not work) Also, I dug into AOL Radio, and found that all streaming content is coming from servers at "music.aol.com" and "streamops.aol.com". If you put those servers on the BLOCK list, you must put "aol.com" on the PASS list ... otherwise, all of AOL would be off limits. That's your policy call. Considering how many videos are now being served up on the big portals and the popularity of YouTube, I wonder if the higher bandwidth requirements of video may be having more of an impact to you than video. You're in a better position to judge that. Finally, the caveats that I hinted at earlier. Web server passing/blocking is based on standard (port 80) access. You're effectively blocking the interface to the music, not the music itself. You may have real needs to allow users access to certain types of audio/video, so further analysis and/or experimentation may be required to know where the right balance is. I hope this helps.

08-20-2007, 10:56 AM	#3 (permalink)
mdh Join Date: Aug 2007 URLs submitted: 171 Posts: 4,535	Dman33 ... an addition to my previous post. Under PROTOCOL CONTROL, you can specifically block and/or log three types of streaming video as well as Shoutcast audio. You can also add protocols to this list as needed providing that you can get the protocol's signature. Please refer to the wiki page at http://wiki.untangle.com/index.php/Protocol_Control. Logging the traffic first to see where your biggest needs are would be the first step. Good luck!

08-20-2007, 11:13 AM	#4 (permalink)
Dman33 Newbie Join Date: Aug 2007 Posts: 5	Thanks for the detailed reply, mdh! Yes, it is a bit tricky to block exactly what you want to block without blocking necessary services. I think blocking the subdomain that AOL streaming uses may be helpful. I was hoping that there would be a protocol 'fingerprint' that would be helpful in filtering such traffic instead. I'll go ahead and start monitoring traffic to/from the "music.aol.com" and "streamops.aol.com" servers to see what is going on there. Essentially, we are moving from being rather open with regards to what our IT usage policy to restricting thanks to the few bad apples in the bunch. I am in the middle of proposing to mgmt that we get a DSL line dedicated for HTTP/media from the LAN users thus leaving our T1s to business critical apps/services. Hopefully they will approve that so I do not have to appear so draconian to the users and my servers can be happy too.

05-06-2008, 07:48 AM	#7 (permalink)
jtech Untanglit Join Date: May 2008 Posts: 10	If you really wanted to crack down you could use GP (Group Policy) to disable access to windows media player. If you want to go that route, let me know and I'll post the info.

05-06-2008, 10:56 AM	#9 (permalink)
jtech Untanglit Join Date: May 2008 Posts: 10	Ah, I understand...GP can still be used, but it would be a pain in the rear to maintain.