[c-nsp] ASA filtering of P2P apps
Jeff Kell
jeff-kell at utc.edu
Mon Jan 22 08:49:24 EST 2007
Church, Chuck wrote:
> Anyone using an ASA to filter/limit the various popular P2P
> applications? It seems that the functionality exists via the regular
> expression capability in 7.x. I'm not finding any concise examples of
> the exact regex that will match the various protocols. Anyone want to
> share what they're using?
Not in the ASA itself, but we use the ASA to implement a "penalty box"
for local IPs that are found to be doing P2P. By applying shuns at the
ASA at the gateway, we block their internet access for a few hours each
time P2P is detected. The users finally get the hint, over time.
Our ASAs have the AIP-SSM modules, and there are a number of signatures
(many disabled by default) that detect a number of P2P protocols. You
can enable these rules and change the action to block (which is applied
for the default block time interval). In addition, we have snort
sensors monitoring our traffic as well. There are a number of P2P rules
in the snort rulesets (base rules and bleedingthreats.net rules) that
will detect the traffic, and the snortsam plugin can be used to issue
timed blocks to the ASA.
Jeff
More information about the cisco-nsp
mailing list