While I agree with Jay to an extent, it's not that simple.
After doing some research about BitTorrent and p2p I found out that it is
not possible to block real P2P with just the firewall. If you want to block
BitTorrent or any other P2P application, it is best to use AIP module into
the ASA that supports this feature.
Here's what Cisco's developers say (in an email to me) about P2P
applications with ASA
======================
ASA with the AIP (IPS/Anti-X) module have even better protection and control
over IM and P2P applications (as well as many other threats - including many
application layer attacks). Not only can you specify more granular policies,
like "allow users to chat over IM, but not perform file transfers." AIP also
detects many more IM and P2P apps than PIX, and AIP also supports dynamic
signature updating to adapt to new P2P/IM applications very quickly. Here
are just some of the threats that AIP can protect from:
Peer-to-peer: KaZaA, BitTorrent, Skype, WinMX, eDonkey, Bearshare, Soulseek,
Limewire, etc.
Instant Messaging: AIM, MSN, Yahoo, Jabber, ICQ, IRC, etc.
Worms: Slammer, Blaster, Witty, Code Red, NIMDA, etc.
Backdoors: Subseven, Trinoo, Back Orifice, Netspy, etc.
Directed attacks: Buffer overflows, SQL injection, shell/command execution,
stack/heap attacks, etc.
=======================
The ASA cannot block P2P type applications unless they are being tunneled
through HTTP.
P2P and Torrent applications don't normally get tunneled through HTTP so
there isn't a way to use the ASA to stop this. You may have some mixed
success if you implement an IPS module or appliance.
On ASA we may block certain application like following using Inspection
HTTP since they get tunneled over HTTP. But, bit torrent is a nasty p2p
application and randomly changes the port. Therefore it can be blocked using
IPS regex or creating a custom signature using TCP engine (you will have to
open a new case if you need assistance in this regard). I would suggest that
either have an IPS module (SSM/CSC) or may be use NBAR on router which you
already know of.
On Sun, Jan 9, 2011 at 4:43 AM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
> Yes, you can use policy and class-maps.
>
> Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from my iPhone
> http://mycciepursuit.wordpress.com
>
>
> On Jan 8, 2011, at 10:35 PM, Khurram Noor <engr.khurramnoor_at_googlemail.com>
> wrote:
>
> > Hello everyone,
> >
> > I would like to know, what is the possibility of blocking P2P traffic
> using
> > ASA firewall. The firewall does not have any AIP-SSM.
> >
> > --
> > Khurram Noor
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- -Steve Di Bias Blogs and organic groups at http://www.ccie.netReceived on Sun Jan 09 2011 - 09:18:56 ART
This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 07:39:17 ART