Blocking P2P in SBS2003 network with no ISA Server

pts.
Tags:
Firewalls
Forensics
Incident response
Intrusion management
Network security
Networking
Security
VPN
Wireless
Hi All, I manage a small SBS2003 network, which doesn't have ISA server - i.e. the SBS box and all clients are wired via a switch to the ADSL router (Netgear DG384G). One of the users has been downloading MP3's from a P2P network and I want to block this sort of activity. Can I just block particular outgoing ports on the router? If so, which ports do I need to block and are there any legitimate services which may be affected? Thanks in advance, Roger

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can enable logging on the router, and see which ports are being used. One of many resources for port info is at

http://www.speedguide.net/ports.php

Once you determine that a given port is not used for appropriate business purposes, you can block it. Since many of the P2P services can use a wide variety of ports, you will be playing a cat-and-mouse game. From my perspective, this is more of a policy issue than a technical one. Does your organization have a clear and well-known appropriate use policy? That would be a good place to start, with your management taking ownership of it as a business issue.

Good luck.

Craig Herberg

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Larrythethird
    With most Netgear routers, you should be able to block specific sites. This model is not listed on their web site, so I can't tell for sure how to block a site. Other than that, it sounds like a good firewall is in order.
    0 pointsBadges:
    report
  • Briavael
    I have to agree with Craig that you're going to be caught up in whack-a-mole trying to block access by ports. These programs have gotten pretty good at port hopping and using well known open ports like 80 or 21. That said, the various programs use different ports. The two popular ones: Fast-Track (ie Kazaa, Morpheus) - 1214 Gnutella (ie Limewire, Bearshare) - 6346, 6347 What I would do is build a Linux firewall (like IPCop) and then use FTwall which will effectively block transmission based on iptables. The result is to block network access of a user who launches a P2P client. They will only get access back once the program is closed completely. Of course adding a new platform to your network may not be what you wish to do - to second Craig's thought, you would best be served by establishing an Acceptable Use Policy. Personally I like having both a technical solution as well as policy to back it up...
    0 pointsBadges:
    report
  • Rmrsystems
    Thanks Guys, @larrythethird - sorry, typo in there somewhere, the router is a Netgear DG834G. I guess a combination of acceptable use and enforcement / monitoring is ideal although the client already has an acceptable use policy, it's just being ignored. Trouble is, when it's ignored, I have to spend time cleaning the whole network of the spyware that's come in on the back of the P2P application. Maybe a combination of blocked ports and broken fingers? It would be nice to find a piece of h/w or s/w that specifically targets this sort of activity - anybody know of such a thing? Thanks again, Roger
    0 pointsBadges:
    report
  • MennoT
    Any decent router has the possibility to block unwanted traffic: RTFM! In the case of peer-to-peer networking, blocking specific sites won't be very effective - it is easy enough to find another site. You should block things on port level. The best solution is not to look at evil things that you want to block, but to see what you want to allow, for instance, http (tcp/80), https (tcp/443), smtp (tcp/25) and possibly a few other things. Just block the rest! To be more secure, you should preferrably allow these protocols only via a proxy, or, for email, a secure smtp relay server with virus scanning, so you can also limit the IP addresses that can go out. MennoT
    0 pointsBadges:
    report
  • Rmrsystems
    @MennoT - RTFM? Yes, I have, and always do. Perhaps you should have read my question more carefully before throwing patronising insults around.
    0 pointsBadges:
    report
  • DrillO
    Good morning.... All of the adivce so far has been really good for the most part. Yes, there are technical solutions to handle this. Research will tell you a lot, as will reading this forum. The comment that I would make is that policy without consequence, is worthless. Yes, we can provide technical solutions, but when policies are blatantly ignored, because there is no fear of getting caught, there is a bigger business issue. It is, at times, prudent for us to make suggestions regarding policy and business practice. Good luck, Paul
    15 pointsBadges:
    report
  • MennoT
    Excuse me, it was not my intention to insult. Maybe I can compensate by clarifying in more detail how to implement a solution. Looking for information about your router on the Netgear website, I found clear instructions how to define authorization rules: http://kbserver.netgear.com/inquira/default.asp?ui_mode=answer&prior_transaction_id=163259&action_code=5&highlight_info=16777968,580,632&turl=http%3A%2F%2Fkbserver.netgear.com%2Fkb_web_files%2Fn101145.asp&answer_id=16307098#__highlight (to create an inbound or outbound rule). Probably this information will be in the manual too. Using that procedure, define outbound rules for the services you want to allow and block the remainder. Possibly with the exception of email, you probably don't run services that should be accessible from the Internet, so block all inbound traffic except that service (if you need it). You can further tighten inbound access by restricting it to a specific host. MennoT
    0 pointsBadges:
    report
  • Rmrsystems
    Thanks again, @MennoT - end of a long hard day and serious sense of humour failure. My apologies for my abrupt response. Your input and suggestions are very welcome. You'll have gathered now that it's not that I don't know how to block ports/services on the router - just that I don't know which ones to block. I guess it makes sense to start by blocking all outgoing services and then unblock what is actually needed. Does that sound sensible? I already have everything incoming blocked except for remote desktop so I can administer the server when off-site. Even then, I just open up this port via the router admin when I need to access it - it's normally closed. Roger
    0 pointsBadges:
    report
  • MennoT
    All right! Blocking everything and wait until your people start to complain is an approach, if you can afford. A slight modification to this is to begin with an inquiry in what is happening now and define rules for that, at least, as far as you can identify it (otherwise Kazaa and co. would get in the rule set as well!). Maybe the router allows you to collect such data, otherwise you could start with a list of applications that are officially in use and find the tcp/udp port numbers of it. If you don't know the port numbers, start the application on a machine and give a netstat command in parallel. Be careful: some applications use random high ports (1024 and higher) next to a fixed port, forcing you to open a port range. This is something you must recognise. Also, some applications set up sessions in the reverse direction, making it necessary to open ports in the opposite direction as well. (An example of this is ftp - but in this case, most firewalls will allow the secondary session automatically.) As a result, blocking all incoming traffic might lead to problems, even though the initiative is only from the inside! Some trial and error may sometimes be unavoidable to get things working in spite of all blocking. Things like Instant Messaging (if you would to allow that) in particular could prove difficult. MennoT
    0 pointsBadges:
    report
  • Ciscocat6k
    If you want a H/W-S/W solution look at the BlueCoat device. It is very effective at blocking this type of traffic. The problem with this type of traffic is that it can tunnel out on port 80, thereby making it difficult to use port blocking. The bluecoat device also gives you granular control over the use of IM, Webmail and various other FW opening services. If you really wish to control it, this is one of the possible solutions out. Additionally you could install a Checkpoint FW on a Nokia platform for deep packet inspection. The Checkpoint NG-AI systems block a great deal of IM, and P2P services with just a check in the box. If cheap and cheerful is what you wish, try installing Squid with Squidguard on a Linux platform for a nice web-caching and url filter solution. Squidguard will allow you to also stop the P2P issues while giving you the advantage of a webcache engine to help with your outside world link - price free for software, you just need to find some old hw to install it on. Will run very comfortably on an old P2/P3 box for up to around 500 users (in my experience). Hope this helps. Cheers, CatMan
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following