[c-nsp] Blocking Peer-to-peer with a 7200

Justin M. Streiner streiner at cluebyfour.org
Wed Mar 30 10:59:42 EDT 2011 

On Wed, 30 Mar 2011, David Rothera wrote:

> Remember though that even then some P2P nowadays encrypts the traffic so
> even to a L7 firewall they would see nothing out of the ordinary.

Right.  I mentioned encrypted p2p traffic in my response.  Generally the 
best that layer4-7 devices can do with encrypted traffic is make 
semi-educated guesses based on source/destination address/port/protocol, 
and maybe some sort of fingerprinting based on characteristics of the 
conversation.

jms

> On Wed, Mar 30, 2011 at 3:09 PM, Justin M. Streiner <streiner at cluebyfour.org
>> wrote:
>
>> On Wed, 30 Mar 2011, opslists at rhemasound.org wrote:
>>
>>  I am trying to block peer-to-peer from a hotel using a Cisco 7200.  Has
>>> anyone else had success doing this?  If so what config do you use, and what
>>> IOS version.
>>> I just finished getting nowhere with TAC on a case for a different
>>> location, our test PC doing Linux ISO downloads never got touched even
>>> though the counters were showing blocked traffic.
>>>
>>
>> The big issue with trying to block p2p traffic using router ACLs is that it
>> is not always very clearly defined.  Things have changed substantially from
>> the early days of p2p (Napster, etc) apps 10+ years ago.  At that time, most
>> of the apps used well-defined ports to communicate, and so they were easier
>> to notch out with ACLs and/or state-agnostic firewall rules.  Nowadays, p2p
>> traffic is sometimes tunneled over well-known ports(tcp/80 and tcp/443 come
>> to mind).  Some p2p traffic is encrypted, so sniffing the traffic is of
>> limited use. ACLs could be used to catch low-hanging fruit, but that will
>> probably not make a significant dent in your traffic patterns.
>>
>> You could block inbound TCP connections (BitTorrent-type traffic) using a
>> stateful firewall, but that's not a guarantee that you will catch all p2p
>> traffic, however your best chance for success would likely involve
>> appliances that can inspect traffic at layers 4-7.
>>
>> jms
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> -- 
> David Rothera
>

More information about the cisco-nsp mailing list