I need to block ALL P2P traffic on a secondary subnet in my home network. My plan is to deploy a SBS 2003 Premium server, and use ISA 2004.
Only thing is that I am finding it difficult to really accomplish this. I found an article about entering signatures in ISA to do this. No luck with what I added. Just blocking ports is not much use as I know that it will resort to port 80, which I want open for web browsing.
I have been able to block downloads of any applications or zip files in ISA. This is of some help. I can prevent the download of any P2P installer. I can also create a limited user account to block the install of any applications I don't push out.
I just want to be certain (or as certain as possible) that doing anything other than surf the web, check email, etc. will be impossible. The problem I am having is with a user (younger brother) using these download applications, as well as anything else he feels like running. He gets his computer all messed up to the point where it just no longer works, and I need to spend hours to fix it. I am sick of it, so I am putting an end to it.
Blocking P2P
Doesn't work. He is already on a different subnet with only traffic to port 80 being forwarded to any non internal addresses. Still creates problems.trogers wrote:Introduce another router to his computer and create a double NAT. This will block up his access to P2P and gaming. Just port forward for browsing and email services.
This is a ongoing problem with network/system administrators. The big problem is P2P protocols go out of there way to obfuscate the traffic. You can try to block ports and protocols but alot of these programs will revert to using standard ports to tunnel the traffic.
The only real way to block P2P is using application layer security (something like NBAR on a Cisco IOS).
Your best bet is to lock down the system (as you said you have) to not allow the user to install applications, also limiting extensions on what the user can download at the proxy helps to avoid anything getting on the system in the first place ... which you have also already done.
The only real way to block P2P is using application layer security (something like NBAR on a Cisco IOS).
Your best bet is to lock down the system (as you said you have) to not allow the user to install applications, also limiting extensions on what the user can download at the proxy helps to avoid anything getting on the system in the first place ... which you have also already done.
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Double NAT'ing won't stop P2P. Slow it down a bit...yeah, but stop....no.
Eric I'm assuming you found the article at ISAServer.org about signatures..and attempted that one? Thing is, the P2P apps are now so configurable..they're able to easily be changed to use so many different ports. Hard to keep up with them. Crank up the monitoring settings on him and watch for what traffic he's getting heavy on, and keep up with blocking it.
I haven't wrestled with blocking P2P with ISA in a couple of years. Is he using the client?
Authentication being used on ISA? Or is it open to "all users"?
Another thing is just keep remotely scouring his hard drive looking for his "P2P client of the month" that he's using..and via GP disallow run it.
Eric I'm assuming you found the article at ISAServer.org about signatures..and attempted that one? Thing is, the P2P apps are now so configurable..they're able to easily be changed to use so many different ports. Hard to keep up with them. Crank up the monitoring settings on him and watch for what traffic he's getting heavy on, and keep up with blocking it.
I haven't wrestled with blocking P2P with ISA in a couple of years. Is he using the client?
Authentication being used on ISA? Or is it open to "all users"?
Another thing is just keep remotely scouring his hard drive looking for his "P2P client of the month" that he's using..and via GP disallow run it.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
Have you tried manually turning the port off for which it uses and disabling UPNP forwarding on the router in itself? It may help. Also there is a program called "Child Safe" from webroot that has alot of neat features, even to the point of turning the computer off after 1 hour of the user being on it. Hope it help and ill look into this, very interesting topic.
Suppose I could do the NBAR thing, but I would need to update my IOS for that to work. Plus I have my router behind my firewall (multiple internal networks), so I am not sure how well it would work.
Yep, already have that all setup. I will double check on my work, but so far it looks like it doesn't work for me. I could monitor, block, repeat, etc. But I do this for a living, when I come home I don't want to worry about monitoring and making constant changes. I would rather just relax and enjoy using my computer.
I am using authentication, and will be forcing it once I get him setup on a fresh computer and join it to the domain. Most likely I will end up just doing the GP thing to disallow any installs or run of an unknown application, etc. combined with blocking him from downloading anything that is an application.
Genesis, you can't just block ports anymore. That is the whole point, many clients will search out and use any open ports. Blocking all ports means blocking the internet totally. If I wanted a client end application I know I could find them. I am looking to block certain types of activity from out of his reach. Basically I am also looking for something that would be used in a corporate type setting.
Yep, already have that all setup. I will double check on my work, but so far it looks like it doesn't work for me. I could monitor, block, repeat, etc. But I do this for a living, when I come home I don't want to worry about monitoring and making constant changes. I would rather just relax and enjoy using my computer.
I am using authentication, and will be forcing it once I get him setup on a fresh computer and join it to the domain. Most likely I will end up just doing the GP thing to disallow any installs or run of an unknown application, etc. combined with blocking him from downloading anything that is an application.
Genesis, you can't just block ports anymore. That is the whole point, many clients will search out and use any open ports. Blocking all ports means blocking the internet totally. If I wanted a client end application I know I could find them. I am looking to block certain types of activity from out of his reach. Basically I am also looking for something that would be used in a corporate type setting.
At one of my client location's I have a OpenBSD firewall setup with very tight pf rules. The firewall is running Dansguardian alongside Squid for a transparent proxy. It's HIGHLY configurable and with Dansguardian you can stop a lot before it even reaches the end user.ErikD wrote:Basically I am also looking for something that would be used in a corporate type setting.
If you want to take the time to build such a box it will provide you with what you are looking for and I'll guarantee you won't see the amount of "trash" on his box as previous.
That along with a strong group policy you shouldn't have to worry about it much. I documented the build on my website if you want to have a look: http://www.computerglitch.net/view?tip=20
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
Well I have had some success (I am still in the process of testing though).
I used this article:
http://www.isaserver.org/articles/2004blockp2pim.html
as a basis. I then configured the signatures as defined by MS. I also setup very restrictive rules in ISA to only allow things that I know are needed (http, ftp, pop3). I then denied access to download applications, compressed files, basically everything but websites and pictures.
So far on my testing PC it is looking good. I can surf the web pretty freely, but not do anything that might cause problems. The next test will be when I setup his computer freshly, and put it on the domain, etc.
I used this article:
http://www.isaserver.org/articles/2004blockp2pim.html
as a basis. I then configured the signatures as defined by MS. I also setup very restrictive rules in ISA to only allow things that I know are needed (http, ftp, pop3). I then denied access to download applications, compressed files, basically everything but websites and pictures.
So far on my testing PC it is looking good. I can surf the web pretty freely, but not do anything that might cause problems. The next test will be when I setup his computer freshly, and put it on the domain, etc.