Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall



Similar documents
Cisco Configuring Commonly Used IP ACLs

Configuring Static and Dynamic NAT Simultaneously

Configuring the Cisco Secure PIX Firewall with a Single Intern

PIX/ASA 7.x with Syslog Configuration Example

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Table of Contents. Cisco Disabling ICS when Preparing to Install or Upgrade to Cisco VPN Client 3.5.X on Microsoft Windows XP

Cisco Secure PIX Firewall with Two Routers Configuration Example

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

IOS NAT Load Balancing for Two ISP Connections

co Characterizing and Tracing Packet Floods Using Cisco R

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Sample Configuration Using the ip nat outside source static

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Source-Connect Network Configuration Last updated May 2009

Securing Networks with PIX and ASA

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Cisco Which VPN Solution is Right for You?

Table of Contents. Cisco How Does Load Balancing Work?

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Table of Contents. Cisco Configuring CET Encryption with a GRE Tunnel

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

WhatsUpGold. v14.4. Flow Monitor User Guide

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Lab Configure IOS Firewall IDS

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Sample Configuration Using the ip nat outside source list C

Security and Access Control Lists (ACLs)

Auto Traffic Analysis and Protocol Generation

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

IP Filter/Firewall Setup

Virtual Fragmentation Reassembly

Configuring the Cisco PIX Firewall for SSH by Brian Ford

WhatsUpGold. v15.0. Flow Monitor User Guide

Network Address Translation Commands

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

Lab Configuring Access Policies and DMZ Settings

Cisco Setting Up PIX Syslog

Lab Exercise Configure the PIX Firewall and a Cisco Router

- Introduction to PIX/ASA Firewalls -

Flow Monitor for WhatsUp Gold v16.2 User Guide

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Cisco Firewall Technology

Adding an Extended Access List

Table of Contents. Cisco Mapping Outbound VoIP Calls to Specific Digital Voice Ports

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Table of Contents. Cisco Disabling ICS when Preparing to Install or Upgrade to Cisco VPN Client 3.5.X on Microsoft Windows XP

Lab Configure Cisco IOS Firewall CBAC

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

Firewall Authentication Proxy for FTP and Telnet Sessions

Introduction of Intrusion Detection Systems

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

Firewall Design Principles

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Polycom. RealPresence Ready Firewall Traversal Tips

Configuring DHCP Snooping

Flow Monitor for WhatsUp Gold v16.1 User Guide

CSCE 465 Computer & Network Security

- QoS Classification and Marking -

Firewall Defaults and Some Basic Rules

Access Control Lists: Overview and Guidelines

BRI to PRI Connection Using Data Over Voice

IINS Implementing Cisco IOS Network Security Exam.

Internet Security Firewalls

Cisco - Catalyst 2950 Series Switches Quality of Service (QoS) FAQ

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Lab Organizing CCENT Objectives by OSI Layer

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Application Note. Onsight Connect Network Requirements V6.1

Firewall Firewall August, 2003

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Table of Contents. Configuring IP Access Lists

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

GregSowell.com. Mikrotik Security

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Firewalls. Chapter 3

Configuring a Load-Balancing Scheme

Broadband Phone Gateway BPG510 Technical Users Guide

Table of Contents. Introduction

Configuring the PIX Firewall with PDM

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Transcription:

Table of Contents Blocking Peer to Peer File Sharing Programs with the PIX Firewall...1 Document ID: 42700...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1 Conventions...2 PIX Configuration...2 Blubster/Piolet Configuration...2 edonkey Configuration...2 FastTrack Kazaa/KazaaLite/Grokster/iMesh Configuration...3 Gnutella BearShare/Limewire/Morpheus/ToadNode Configuration...4 NetPro Discussion Forums Featured Conversations...4 Related Information...4 i

Blocking Peer to Peer File Sharing Programs with the PIX Firewall Document ID: 42700 Introduction Prerequisites Requirements Components Used Conventions PIX Configuration Blubster/Piolet Configuration edonkey Configuration FastTrack Kazaa/KazaaLite/Grokster/iMesh Configuration Gnutella BearShare/Limewire/Morpheus/ToadNode Configuration NetPro Discussion Forums Featured Conversations Related Information Introduction This document demonstrates how to (attempt to) block the most common peer to peer (P2P) file sharing programs with the PIX firewall. If the application cannot effectively be blocked with the PIX, Cisco IOS Network Based Application Recognition (NBAR) configurations are included that can be configured on any Cisco router between the source host and the Internet. Important Note: Due to the nature of the content this document assists in blocking, Cisco is unable to block individual server addresses. Instead, Cisco recommends that you block address ranges in order to ensure you block all possible servers for each of the listed programs. The result of this can be that you block access to legitimate services. If this is the case, you need to add statements to the configuration that permit these individual services. Contact Cisco Technical Support if you have any difficulty. Prerequisites Requirements There are no specific requirements for this document. Components Used These configurations were tested with the use of these PIX software and hardware versions, although they are expected to work on any hardware and software revision: Cisco PIX Firewall 501 Cisco PIX Firewall Software version 6.3(3) Cisco IOS Software Release 12.2(13)T These configurations were tested with the use of these P2P software versions: Blubster version 2.5

edonkey version 0.51 IMesh version 4.2 build 137 KazaaLite version 2.4.3 LimeWire version 3.6.6 Morpheus version 3.4 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions For more information on document conventions, refer to the Cisco Technical Tips Conventions. PIX Configuration interface ethernet0 10baset interface ethernet1 10full ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 interface nat (inside) 1 0 0 http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.2 192.168.1.129 inside dhcpd auto_config dhcpd enable inside pdm logging informational timeout xlate 0:05:00 Blubster/Piolet Configuration Blubster and Piolet use the Multipoint P2P (MP2P) protocol. This initially connects to the central servers of the networks in order to gain the list of peer hosts and can be blocked effectively with an access list, therefore disabling the program. P2P connections are usually on TCP port 80. However, if the initial connection is blocked, you cannot download this peer list. Applying these on your PIX should block this program: access list outbound deny tcp any 128.121.0.0 255.255.0.0 eq www access list outbound permit ip any any access group outbound in interface inside Alternatively, if you want to be a little bit more selective, this should also work: access list outbound deny tcp any 128.121.20.0 255.255.255.240 eq www access list outbound deny tcp any 128.121.4.0 255.255.255.0 eq www access list outbound permit ip any any access group outbound in interface inside edonkey Configuration edonkey uses two ports, one for file searches and one for file transfers. File searches are done using a randomly picked UDP source port to a random destination port. File transfers are done using a destination port

of TCP/4662. Blocking this port stops file downloads. Although, users are still able to search for files as the UDP portion of this program cannot be blocked effectively with an access list. The default port of TCP/4662 can be changed simply within the program options, but this does not affect the port that files are downloaded on. This port number option seems to be the port that other hosts use to download files from your source host. Unless a large number of other P2P users have changed this port in their settings, which is doubtful, file downloads are stopped (or at the very least severely impacted) just by blocking TCP/4662 outbound. Applying these on your PIX should block this program: access list outbound deny tcp any any eq 4662 access list outbound permit ip any any access group outbound in interface inside FastTrack Kazaa/KazaaLite/Grokster/iMesh Configuration FastTrack is the most popular P2P network around today. P2P file sharing applications such as Kazaa, KazaaLite, Grokster and imesh all use this network and connect to other hosts using any open TCP/UDP port to search and download files. This makes filtering them with an access list impossible. Note: These applications cannot be filtered with a PIX firewall. In order to effectively filter these applications, use NBAR on your outside router (or any router between the source host and the Internet connection). NBAR can match specifically on connections made to the FastTrack network and can either be dropped completely or rate limited. A sample IOS router NBAR configuration to drop FastTrack packets appear here: class map match any p2p match protocol fasttrack file transfer * policy map block p2p class p2p drop! The drop command was introduced in! Cisco IOS Software Release 12.2(13)T. int FastEthernet0 description PIX facing interface service policy input block p2p If the router runs a Cisco IOS Software earlier than Cisco IOS Software Release 12.2(13)T, then the drop command under the policy map is not available. In order to drop this traffic, use a policy map to set the DSCP bit in matching packets as they come into the router. Next, define an access list to drop all packets with this bit set as they exit the router. The DSCP bit is used as it is unlikely that any "normal" traffic uses this. A sample configuration for this is shown here: class map match any p2p match protocll fasttrack file transfer * policy map block p2p class p2p

set ip dscp 1 int FastEthernet0 description PIX/Inside facing interface service policy input block p2p int Serial0 description Internet/Outside facing interface ip access group 100 out access list 100 deny ip any any dscp 1 access list 100 permit ip any any Gnutella BearShare/Limewire/Morpheus/ToadNode Configuration Gnutella is an open source protocol and has over 50 applications using it on a wide variety of operating systems. Popular P2P applications include BearShare, Limewire, Morpheus and ToadNode. They use any open TCP/UDP port to communicate with another P2P host, and from there connect to many other hosts, making filtering these programs with an access list impossible. Note: These programs cannot be filtered with a PIX firewall. To effectively filter these protocols, use NBAR on your outside router. NBAR can match specifically on connections made to the Gnutella network and can either be dropped completely or rate limited. A sample IOS router NBAR configuration looks like the example in the FastTrack section of this document. The addition of a Gnutella matching line under the same class map is shown here: class map match any p2p match protocol gnutella file transfer * NetPro Discussion Forums Featured Conversations Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology. NetPro Discussion Forums Featured Conversations for Security Security: Intrusion Detection [Systems] Security: AAA Security: General Security: Firewalling Related Information Classification of Peer to Peer File Sharing Applications IPSec Support Page PIX Support Page Documentation for PIX Firewall PIX Command References

Requests for Comments (RFCs) Technical Support Cisco Systems All contents are Copyright 1992 2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Updated: Jun 08, 2005 Document ID: 42700

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information