Thursday, 8 November 2012

How to block P2P Traffic on a Cisco Router

P2P is a network protocol which is widely used to share large volumes of file over the network. It uses the protocols like BitTorrent to download as well as to share data over the Internet. In a Peer-to-peer network each computer will act as a server or client for the other computer. Since the files are available from various sources we can quickly download a file using a  P2P application.


Nowadays P2P plays a major role over the Internet where millions of people are using it to download movies, games, software etc.Statistics shows that around 30-40% of global Internet traffic is used by the P2P traffic. Recent survey conducted by Cisco estimated that the p2p traffic will be doubled (7 Petabytes per month) by 2014 compared to 2009 where it was only 3.2 Petabytes per month. 

How P2P works?

How P2P Works?


















The P2P file share process works like this:

1. You run a software like utorrent on your computer and sends out a request for a file that you want to download.
2. The software (eg.utorrent) queries the other computers which is connected to the internet and is running with similar software.
3. As soon as it finds the file on another computer, the download begins.
4. In the same way other computers will also download the file from your computer.
 
Major P2P Protocols

1. BitTorrent (Azureus, BitSpirit, BitTorrent.Net, MLdonkey, QTorrent, ┬ÁTorrent,etc)
2. Gnutella (BearShare, iMesh, Gnotella, Gnucleus, GTK-gnutella, LimeWire, etc)
3. FastTrack (Grokster, iMesh, Kazaa, Morpheus, etc)
4. eDonkey (eMule, Overnet, etc )
5. Direct Connect (BCDC++, DC++, NeoModus Direct Connect, etc )
6. OpenNap ( WinMX )

How to Block P2P ?

Blocking P2P traffic is a real challenge as the P2P protocols are using dynamic ports to connect to our computers. Cisco provided us with two solutions to block P2P traffic on our gateway. This document will guide you to configure those two methods to block the p2p traffic in your network. But I cannot give you 100% guarantee to block P2P because of its port hopping ability and the encryption in the traffic.
The two features that Cisco provide to block P2P traffic are:

1. NBAR

2. Application Control in Zone Based Firewall.
  • This example is based on a Cisco Integrated Service Router running with 15.0(1)M3 code.

1. Blocking P2P using NBAR

NBAR is a classification engine that can recognize a wide variety of applications via the deep packet inspection. This feature is available from Cisco IOS Version 12.0(5)XE2. It has the ability to identify applications including Web-based applications and client/server applications that dynamically assign TCP , User Datagram Protocol (UDP) port numbers as well as P2P applications. NBAR helps the network administrator to classify the traffic by defining QoS policies there by ensuring the best bandwidth for the legitimate traffic. For more info visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/prod_case_study09186a00800ad0ca.html

Follow the below steps to block P2P traffic using the NBAR deep packet inspection engine.

    Enable cef on your router. For this type the command as below on the global configuration mode:

    Cisco_ISR(config)#ip cef

    Create a Class map which will group all the P2P protocols. Type the command as below:

    Cisco_ISR(config)#class-map match-any ALL-P2P-PROTOCOLS
    Cisco_ISR(config)# match protocol edonkey
    Cisco_ISR(config)# match protocol fasttrack
    Cisco_ISR(config)# match protocol gnutella
    Cisco_ISR(config)# match protocol winmx
    Cisco_ISR(config)# match protocol cuseeme
    Cisco_ISR(config)# match protocol kazaa2
    Cisco_ISR(config)# match protocol irc
    Cisco_ISR(config)# match protocol bittorrent
    Cisco_ISR(config)# match protocol skype
    Cisco_ISR(config)# match protocol ssh
    Cisco_ISR(config)# match protocol irc

Create a Policy map to define what you want to do with the traffic. In our case it is drop since we need to block the p2p traffic.

    Cisco_ISR(config)#policy-map P2P- DROP
    Cisco_ISR(config)#class ALL-P2P-PROTOCOLS
    Cisco_ISR(config)#drop

Apply the policy to the user-facing (Incoming) interface.

    Cisco_ISR(config)#interface gigabitEthernet 0/0
    Cisco_ISR(config-if)#service-policy input P2P-DROP

Now you can verify the correct operation of the NBAR feature using the below command :
 
   Cisco_ISR#show policy-map interface gigabitEthernet 0/0

Below you can find an output of the above command where the drop rate is 16000 bps.



2. Blocking P2P Using Application Control feature in Zone Based Firewall

This configuration requires a Zone Based Firewall already configured on your router. If you don't have a Zone Based Firewall configured on your router you can refer the following document http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html to do the configuration.
Now to block p2p traffic using a zone based firewall follow the below steps.

Task 1 : Configure HTTP port misuse policy

With this configuration you can the stop the misuse of http port by p2p and other applications.
Create a Class map to define the port-misuse parameters. Type the command as below :
  
   Router(config)#class-map type inspect http match-any HTTP-PORT-MISUSE
   Router(config-cmap)#match request port-misuse im
   Router(config-cmap)#match request port-misuse p2p
   Router(config-cmap)#match request port-misuse tunneling

Create a Policy-map which define what you want to do with the traffic and apply the above class-map 'HTTP-PORT-MISUSE' to the policy-map.
 
  Router(config)#policy-map type inspect http HTTP-PORT-MISUSE-POLICY
  Router(config-pmap)#class type inspect http HTTP-PORT-MISUSE
  Router(config-pmap)#reset
  Router(config-pmap)#log

Now apply this policy-map to the outgoing http inspection policy
 
  Router(config)#policy-map type inspect IN-TO-OUT-POLICY
  Router(config-pmap)#class type inspect HTTP-ACCESS
  Router(config-pmap)#inspect
  Router(config-pmap)#service-policy http HTTP-PORT-MISUSE-POLICY

For more information about port misuse commands refer: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p1.html#wp1064215

Task 2 : Configuring firewall policy to block p2p traffic

Here we are defining the class maps and policy maps to configure a firewall policy that will explicitly block p2p traffic on your firewall. Type the command as below:

Class Map
 
  Router(config)#class-map type inspect match-any ALL-P2P-PROTOCOLS
  Router(config-cmap)#match protocol edonkey signature
  Router(config-cmap)#match protocol gnutella signature
  Router(config-cmap)#match protocol kazaa2 signature
  Router(config-cmap)#match protocol fasttrack signature
  Router(config-cmap)#match protocol bittorrent signature

Now apply the above class-map to the outgoing policy-map configuration.

Policy Map

  Router(config)#policy-map type inspect IN-TO-OUT-POLICY
  Router(config-cmap)#class type inspect ALL-P2P-PROTOCOLS
  Router(config-cmap)#drop log

Verification

You can verify the above operation using the command :

 Router#show policy-map type inspect zone-pair

Below you can find an output of the verification command


It is best practice to place the Class-map that you created to block the P2P traffic above all class-maps on your Inside to Outside Policy-map or Firewall policy.

For advanced configuration and IM application blocking visit http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html

With all the above configurations we can only block the P2P traffic up to an extent. It will not give you a complete solution because of the encryption used in the p2p traffic where the Cisco device fails to do a deep packet inspection. I will suggest using some applications in your network along with NBAR or ZBFW in order to prevent p2p traffic in your network.

You may also find this document useful Cisco IOS Local Content Filtering

3 comments: