RE: blocking p2p traffic

From: josh (josh_at_tkos.co.il)
Date: 03/08/04

  • Next message: Shaiful: "Re: blocking p2p traffic" 
    Date: Mon, 8 Mar 2004 11:52:30 +0200 (IST)
To: Gary Freeman <Gary.Freeman@rci.rogers.com>

    > Hi,
    >
    > Any information regarding IDS/IPS software available which blocks
    > p2p traffic? Or in general any information regarding how to identify p2p
    > application is running and may be configure firewall to block such
    > traffic. In general it is observed that such applications do not work on
    > = single port and do port hopping. How to block them?
    >
    > Any inputs on the same would be appreciated.

    Hi
    Most p2p will use port 80 after their native ports are closed in your
    firewall. Originally I tried to block p2p with snort but I was getting
    to many false positives. I found a much more effective way was to setup
    squid as a transparent proxy. The p2p requests are not legal http
    requests thus squid will not pass them on. I also added some rules in
    squid to block certain instant messengers based on mime type.

    >
    >
    > Thanks,
    >
    > Yashodhan 

    -- 
  - josh
  94 F8 9F 3E 9A DB 6E FC  F8 17 F1 B4 C7 51 CB AA   ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - josh@tkos.co.il - tel: +972.58.520.636, http://www.tkos.co.il
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------
  • Next message: Shaiful: "Re: blocking p2p traffic"

    Relevant Pages

    • RE: Concepts: Security and Obscurity
      ... First I have to state an assumption of a single firewall in the cases mentioned as I fail to see why adding SPA to a dual layered authenticated system would be adding anything at all other than trouble with users. ... Subject: Concepts: Security and Obscurity ... You send me a SYN to a given port ... "If I take a letter, lock it in a safe, hide the safe somewhere in New ...
      (Security-Basics)
    • [NEWS] Pyramid BenHur Firewall Active FTP Portfilter Ruleset Results in a Firewall Leak
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Firewall allows attackers to connect and scan internally protected ports ... by assigning their scanning port to port number 20 (the port used by FTP's ... Especially the rules controlling active FTP is among the most prominent reasons for security holes in a firewall configuration. ...
      (Securiteam)
    • Re: Norton Personal Firewall 2003
      ... > i can exclude the intrusion detection called "port scan". ... > After that i changed the security level to HIGH. ... the firewall checks unsolicited inbound communications attempts. ...
      (comp.security.firewalls)
    • RE: RE: break in? - terminal services on alternate port
      ... > By moving the port you gain some degree of security through obscurity. ... any firewall which drops RDP is more likely to drop or break IPSec ... The second is that it makes network reconnaissance much harder - ...
      (Focus-Microsoft)