Thanks Steve. I will use NBAR to block and limit these traffic patterns.
Regards,
Khurram
On Sun, Jan 9, 2011 at 9:18 PM, Steve Di Bias <sdibias_at_gmail.com> wrote:
> While I agree with Jay to an extent, it's not that simple.
>
> After doing some research about BitTorrent and p2p I found out that it is
> not possible to block real P2P with just the firewall. If you want to block
> BitTorrent or any other P2P application, it is best to use AIP module into
> the ASA that supports this feature.
>
> Here's what Cisco's developers say (in an email to me) about P2P
> applications with ASA
>
> ======================
>
> ASA with the AIP (IPS/Anti-X) module have even better protection and
> control over IM and P2P applications (as well as many other threats -
> including many application layer attacks). Not only can you specify more
> granular policies, like "allow users to chat over IM, but not perform file
> transfers." AIP also detects many more IM and P2P apps than PIX, and AIP
> also supports dynamic signature updating to adapt to new P2P/IM applications
> very quickly. Here are just some of the threats that AIP can protect from:
>
> Peer-to-peer: KaZaA, BitTorrent, Skype, WinMX, eDonkey, Bearshare,
> Soulseek, Limewire, etc.
>
> Instant Messaging: AIM, MSN, Yahoo, Jabber, ICQ, IRC, etc.
>
> Worms: Slammer, Blaster, Witty, Code Red, NIMDA, etc.
>
> Backdoors: Subseven, Trinoo, Back Orifice, Netspy, etc.
>
> Directed attacks: Buffer overflows, SQL injection, shell/command execution,
> stack/heap attacks, etc.
>
> =======================
>
> The ASA cannot block P2P type applications unless they are being tunneled
> through HTTP.
>
> P2P and Torrent applications don't normally get tunneled through HTTP so
> there isn't a way to use the ASA to stop this. You may have some mixed
> success if you implement an IPS module or appliance.
>
> On ASA we may block certain application like following using Inspection
> HTTP since they get tunneled over HTTP. But, bit torrent is a nasty p2p
> application and randomly changes the port. Therefore it can be blocked using
> IPS regex or creating a custom signature using TCP engine (you will have to
> open a new case if you need assistance in this regard). I would suggest that
> either have an IPS module (SSM/CSC) or may be use NBAR on router which you
> already know of.
>
>
> On Sun, Jan 9, 2011 at 4:43 AM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>
>
> Yes, you can use policy and class-maps.
>>
>> Regards,
>> Jay McMickle- CCNP,CCSP,CCDP
>> Sent from my iPhone
>> http://mycciepursuit.wordpress.com
>>
>>
>> On Jan 8, 2011, at 10:35 PM, Khurram Noor <
>> engr.khurramnoor_at_googlemail.com> wrote:
>>
>> > Hello everyone,
>> >
>> > I would like to know, what is the possibility of blocking P2P traffic
>> using
>> > ASA firewall. The firewall does not have any AIP-SSM.
>> >
>> > --
>> > Khurram Noor
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> -Steve Di Bias
>
-- Khurram Noor CCIE # 24419 http://www.linkedin.com/in/khurramnoor Blogs and organic groups at http://www.ccie.netReceived on Mon Jan 10 2011 - 08:30:34 ART
This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 07:39:17 ART