[c-nsp] Blocking Peer-to-peer with a 7200
David Rothera
david.rothera at gmail.com
Wed Mar 30 10:44:52 EDT 2011
Remember though that even then some P2P nowadays encrypts the traffic so
even to a L7 firewall they would see nothing out of the ordinary.
On Wed, Mar 30, 2011 at 3:09 PM, Justin M. Streiner <streiner at cluebyfour.org
> wrote:
> On Wed, 30 Mar 2011, opslists at rhemasound.org wrote:
>
> I am trying to block peer-to-peer from a hotel using a Cisco 7200. Has
>> anyone else had success doing this? If so what config do you use, and what
>> IOS version.
>> I just finished getting nowhere with TAC on a case for a different
>> location, our test PC doing Linux ISO downloads never got touched even
>> though the counters were showing blocked traffic.
>>
>
> The big issue with trying to block p2p traffic using router ACLs is that it
> is not always very clearly defined. Things have changed substantially from
> the early days of p2p (Napster, etc) apps 10+ years ago. At that time, most
> of the apps used well-defined ports to communicate, and so they were easier
> to notch out with ACLs and/or state-agnostic firewall rules. Nowadays, p2p
> traffic is sometimes tunneled over well-known ports(tcp/80 and tcp/443 come
> to mind). Some p2p traffic is encrypted, so sniffing the traffic is of
> limited use. ACLs could be used to catch low-hanging fruit, but that will
> probably not make a significant dent in your traffic patterns.
>
> You could block inbound TCP connections (BitTorrent-type traffic) using a
> stateful firewall, but that's not a guarantee that you will catch all p2p
> traffic, however your best chance for success would likely involve
> appliances that can inspect traffic at layers 4-7.
>
> jms
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
David Rothera
More information about the cisco-nsp
mailing list