If Only App Control Were Around When Pointcast Was A Thing

Back when I first got into IT and just started working with FireWall-1, Pointcast was a thing. For those who weren't around back in the mid to late 1990s, Pointcast had a very popular screensaver that displayed news and other information delivered periodically over the Internet to PCs. The problem was: it used an excessive amount of bandwidth on corporate networks, especially if more than a couple of people used it.

The result was, of course, corporations wanted to block access to Pointcast. The problem: how to do it. All we had in the mid 1990s was the traditional firewall which could control access based on IP and port. So we should be able to block the port or IPs it communicates with, right?

Pointcast used good old HTTP. Even back then, no one in their right mind would block HTTP. Of course, everything uses HTTP or HTTPS to communicate these days, and with a traditional firewall with the ability to control traffic only by IP or port, leaving HTTP or HTTPS wide open is tantamount to leaving the barn door open. 

Pointcast didn't exactly publish their list of servers, but users of the PhoneBoy FireWall-1 FAQ contributed a list of IPs plus a couple of other clever solutions to the problem, which I've made available after the break if you're curious.

Of course, with things like content delivery networks, Amazon Web Services, and a host of other ways to serve up an application to users that are available today, attempting to control access to these applications merely by port and IP address is crazy. 

Fortunately, there are a number of solutions to this problem. Check Point's solution is the Application Control Software Blade, which can allow/block access to an application regardless of the ports and destination IP users, and even limit the bandwidth these applications use. New applications or changes to existing applications are made available to the gateway periodically so you can see that you're users are using it and, when it kills you bandwidth or worse, you can block it. 

If only tools like App Control were available back in the day, security admins could have spent more time on more important issues rather than figuring out how to block Pointcast and other applications and I would have a few less FAQ entries on "how do I block X application."

There are a few ways to block access to Pointsec:

  1. Deny HTTP Access to Pointcast Servers
  2. Use the HTTP Security Server
  3. Create a Dummy Host in your DNS/WINS

Deny HTTP Access to Pointcast Servers

To deny HTTP requests to the Pointcast HTTP server, deny access to the following machines:

205.228.184.31 through 205.228.184.60, inclusive. 
206.64.127.31 through 206.64.127.60, inclusive.

To minimize the number of network objects needed (since range objects aren't supported), create the objects as follows and put them into a group:

Create host 205.228.184.31 
Create network 205.228.184.32 with subnet mask 255.255.255.240 (include broadcast) 
Create network 205.228.184.48 with subnet mask 255.255.255.248 (include broadcast) 
Create network 205.228.184.56 with subnet mask 255.255.255.252 (include broadcast) 
Create host 205.228.184.60

Create host 206.64.127.31 
Create network 206.64.127.32 with subnet mask 255.255.255.240 (include broadcast) 
Create network 206.64.127.48 with subnet mask 255.255.255.248 (include broadcast) 
Create network 206.64.127.56 with subnet mask 255.255.255.252 (include broadcast) 
Create host 206.64.127.60

Deny HTTP traffic to these hosts.

Using HTTP Security Server

Thanks to Daniel Blander for this idea:

Create a URI resource that filters the following URLs:

http://*/FIDO*/*

This roughly translates to creating a Wildcard URI Resource with the following parameters:

Service: http 
Action: all 
Host: * 
Path: /FIDO* 
Query: *

You will want to use this URI resource in a rule that denies access.

Create a Dummy Host in your DNS/WINS

Thanks to Mark Syroka for this idea.

Create an entry in your DNS or WINS for the hostname PCNPROXY. Your clients will try and access whatever host resolves to this name if it exists. If you wish to use the PointCast Caching Manager, which is designed to Cache PointCast Requests and is available for free from http://www.pointcast.com/products/intranet/, your DNS/WINS entry would point to this machine. Otherwise, this entry can point to a non-existant machine or any machine that does not run a web server on port 80.