[c-nsp] Blocking Peer-to-peer with a 7200
Justin M. Streiner
streiner at cluebyfour.org
Wed Mar 30 10:09:48 EDT 2011
On Wed, 30 Mar 2011, opslists at rhemasound.org wrote:
> I am trying to block peer-to-peer from a hotel using a Cisco 7200. Has anyone else had success doing this? If so what config do you use, and what IOS version.
> I just finished getting nowhere with TAC on a case for a different location, our test PC doing Linux ISO downloads never got touched even though the counters were showing blocked traffic.
The big issue with trying to block p2p traffic using router ACLs is that
it is not always very clearly defined. Things have changed
substantially from the early days of p2p (Napster, etc) apps 10+ years
ago. At that time, most of the apps used well-defined ports to
communicate, and so they were easier to notch out with ACLs and/or
state-agnostic firewall rules. Nowadays, p2p traffic is sometimes
tunneled over well-known ports(tcp/80 and tcp/443 come to mind). Some
p2p traffic is encrypted, so sniffing the traffic is of limited use.
ACLs could be used to catch low-hanging fruit, but that will probably not
make a significant dent in your traffic patterns.
You could block inbound TCP connections (BitTorrent-type traffic) using a
stateful firewall, but that's not a guarantee that you will catch all p2p
traffic, however your best chance for success would likely involve
appliances that can inspect traffic at layers 4-7.
jms
More information about the cisco-nsp
mailing list