[c-nsp] Blocking Peer-to-peer with a 7200
Mack McBride
mack.mcbride at viawest.com
Fri Apr 1 16:58:47 EDT 2011
A better method would be to limit usage allotment.
There is a practical difficulty as some users will still need to download
documents that are rather large and maybe even CDs/DVDs for presentations.
At a hotel you will also have customers who want to view Netflix movies (BW intensive).
Some games also use P2P for patch downloads, WOW for example.
If you block that you are going to upset customers such as myself who like to play when travelling.
If you are providing internet to your customers on a 'free' basis then
limiting usage is probably preferable and charge for customers that need
to download over some limit. Some users are willing to pay for access.
Mack McBride
Network Architect
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner
Sent: Wednesday, March 30, 2011 9:00 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Blocking Peer-to-peer with a 7200
On Wed, 30 Mar 2011, David Rothera wrote:
> Remember though that even then some P2P nowadays encrypts the traffic so
> even to a L7 firewall they would see nothing out of the ordinary.
Right. I mentioned encrypted p2p traffic in my response. Generally the
best that layer4-7 devices can do with encrypted traffic is make
semi-educated guesses based on source/destination address/port/protocol,
and maybe some sort of fingerprinting based on characteristics of the
conversation.
jms
> On Wed, Mar 30, 2011 at 3:09 PM, Justin M. Streiner <streiner at cluebyfour.org
>> wrote:
>
>> On Wed, 30 Mar 2011, opslists at rhemasound.org wrote:
>>
>> I am trying to block peer-to-peer from a hotel using a Cisco 7200. Has
>>> anyone else had success doing this? If so what config do you use, and what
>>> IOS version.
>>> I just finished getting nowhere with TAC on a case for a different
>>> location, our test PC doing Linux ISO downloads never got touched even
>>> though the counters were showing blocked traffic.
>>>
>>
>> The big issue with trying to block p2p traffic using router ACLs is that it
>> is not always very clearly defined. Things have changed substantially from
>> the early days of p2p (Napster, etc) apps 10+ years ago. At that time, most
>> of the apps used well-defined ports to communicate, and so they were easier
>> to notch out with ACLs and/or state-agnostic firewall rules. Nowadays, p2p
>> traffic is sometimes tunneled over well-known ports(tcp/80 and tcp/443 come
>> to mind). Some p2p traffic is encrypted, so sniffing the traffic is of
>> limited use. ACLs could be used to catch low-hanging fruit, but that will
>> probably not make a significant dent in your traffic patterns.
>>
>> You could block inbound TCP connections (BitTorrent-type traffic) using a
>> stateful firewall, but that's not a guarantee that you will catch all p2p
>> traffic, however your best chance for success would likely involve
>> appliances that can inspect traffic at layers 4-7.
>>
>> jms
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> --
> David Rothera
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list