[c-nsp] Blocking Peer-to-peer with a 7200
Justin M. Streiner
streiner at cluebyfour.org
Wed Mar 30 10:59:42 EDT 2011
On Wed, 30 Mar 2011, David Rothera wrote:
> Remember though that even then some P2P nowadays encrypts the traffic so
> even to a L7 firewall they would see nothing out of the ordinary.
Right. I mentioned encrypted p2p traffic in my response. Generally the
best that layer4-7 devices can do with encrypted traffic is make
semi-educated guesses based on source/destination address/port/protocol,
and maybe some sort of fingerprinting based on characteristics of the
conversation.
jms
> On Wed, Mar 30, 2011 at 3:09 PM, Justin M. Streiner <streiner at cluebyfour.org
>> wrote:
>
>> On Wed, 30 Mar 2011, opslists at rhemasound.org wrote:
>>
>> I am trying to block peer-to-peer from a hotel using a Cisco 7200. Has
>>> anyone else had success doing this? If so what config do you use, and what
>>> IOS version.
>>> I just finished getting nowhere with TAC on a case for a different
>>> location, our test PC doing Linux ISO downloads never got touched even
>>> though the counters were showing blocked traffic.
>>>
>>
>> The big issue with trying to block p2p traffic using router ACLs is that it
>> is not always very clearly defined. Things have changed substantially from
>> the early days of p2p (Napster, etc) apps 10+ years ago. At that time, most
>> of the apps used well-defined ports to communicate, and so they were easier
>> to notch out with ACLs and/or state-agnostic firewall rules. Nowadays, p2p
>> traffic is sometimes tunneled over well-known ports(tcp/80 and tcp/443 come
>> to mind). Some p2p traffic is encrypted, so sniffing the traffic is of
>> limited use. ACLs could be used to catch low-hanging fruit, but that will
>> probably not make a significant dent in your traffic patterns.
>>
>> You could block inbound TCP connections (BitTorrent-type traffic) using a
>> stateful firewall, but that's not a guarantee that you will catch all p2p
>> traffic, however your best chance for success would likely involve
>> appliances that can inspect traffic at layers 4-7.
>>
>> jms
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> --
> David Rothera
>
More information about the cisco-nsp
mailing list