With most Netgear routers, you should be able to block specific sites. This model is not listed on their web site, so I can’t tell for sure how to block a site. Other than that, it sounds like a good firewall is in order.

I have to agree with Craig that you’re going to be caught up in whack-a-mole trying to block access by ports. These programs have gotten pretty good at port hopping and using well known open ports like 80 or 21.

That said, the various programs use different ports. The two popular ones:
Fast-Track (ie Kazaa, Morpheus) – 1214
Gnutella (ie Limewire, Bearshare) – 6346, 6347

What I would do is build a Linux firewall (like IPCop) and then use FTwall which will effectively block transmission based on iptables. The result is to block network access of a user who launches a P2P client. They will only get access back once the program is closed completely.

Of course adding a new platform to your network may not be what you wish to do – to second Craig’s thought, you would best be served by establishing an Acceptable Use Policy. Personally I like having both a technical solution as well as policy to back it up…

Thanks Guys,

@larrythethird – sorry, typo in there somewhere, the router is a Netgear DG834G.

I guess a combination of acceptable use and enforcement / monitoring is ideal although the client already has an acceptable use policy, it’s just being ignored. Trouble is, when it’s ignored, I have to spend time cleaning the whole network of the spyware that’s come in on the back of the P2P application.

Maybe a combination of blocked ports and broken fingers? It would be nice to find a piece of h/w or s/w that specifically targets this sort of activity – anybody know of such a thing?

Thanks again,
Roger

Any decent router has the possibility to block unwanted traffic: RTFM! In the case of peer-to-peer networking, blocking specific sites won’t be very effective – it is easy enough to find another site.
You should block things on port level. The best solution is not to look at evil things that you want to block, but to see what you want to allow, for instance, http (tcp/80), https (tcp/443), smtp (tcp/25) and possibly a few other things. Just block the rest! To be more secure, you should preferrably allow these protocols only via a proxy, or, for email, a secure smtp relay server with virus scanning, so you can also limit the IP addresses that can go out.

MennoT

@MennoT – RTFM? Yes, I have, and always do. Perhaps you should have read my question more carefully before throwing patronising insults around.

Good morning….

All of the adivce so far has been really good for the most part. Yes, there are technical solutions to handle this. Research will tell you a lot, as will reading this forum. The comment that I would make is that policy without consequence, is worthless. Yes, we can provide technical solutions, but when policies are blatantly ignored, because there is no fear of getting caught, there is a bigger business issue. It is, at times, prudent for us to make suggestions regarding policy and business practice.

Good luck,
Paul

Excuse me, it was not my intention to insult.
Maybe I can compensate by clarifying in more detail how to implement a solution.
Looking for information about your router on the Netgear website, I found clear instructions how to define authorization rules: http://kbserver.netgear.com/inquira/default.asp?ui_mode=answer&prior_transaction_id=163259&action_code=5&highlight_info=16777968,580,632&turl=http%3A%2F%2Fkbserver.netgear.com%2Fkb_web_files%2Fn101145.asp&answer_id=16307098#__highlight
(to create an inbound or outbound rule). Probably this information will be in the manual too.
Using that procedure, define outbound rules for the services you want to allow and block the remainder. Possibly with the exception of email, you probably don’t run services that should be accessible from the Internet, so block all inbound traffic except that service (if you need it). You can further tighten inbound access by restricting it to a specific host.

MennoT

Thanks again,

@MennoT – end of a long hard day and serious sense of humour failure. My apologies for my abrupt response. Your input and suggestions are very welcome.

You’ll have gathered now that it’s not that I don’t know how to block ports/services on the router – just that I don’t know which ones to block. I guess it makes sense to start by blocking all outgoing services and then unblock what is actually needed. Does that sound sensible?

I already have everything incoming blocked except for remote desktop so I can administer the server when off-site. Even then, I just open up this port via the router admin when I need to access it – it’s normally closed.

Roger

All right!
Blocking everything and wait until your people start to complain is an approach, if you can afford. A slight modification to this is to begin with an inquiry in what is happening now and define rules for that, at least, as far as you can identify it (otherwise Kazaa and co. would get in the rule set as well!). Maybe the router allows you to collect such data, otherwise you could start with a list of applications that are officially in use and find the tcp/udp port numbers of it. If you don’t know the port numbers, start the application on a machine and give a netstat command in parallel.
Be careful: some applications use random high ports (1024 and higher) next to a fixed port, forcing you to open a port range. This is something you must recognise. Also, some applications set up sessions in the reverse direction, making it necessary to open ports in the opposite direction as well. (An example of this is ftp – but in this case, most firewalls will allow the secondary session automatically.)
As a result, blocking all incoming traffic might lead to problems, even though the initiative is only from the inside! Some trial and error may sometimes be unavoidable to get things working in spite of all blocking. Things like Instant Messaging (if you would to allow that) in particular could prove difficult.

MennoT

If you want a H/W-S/W solution look at the BlueCoat device. It is very effective at blocking this type of traffic. The problem with this type of traffic is that it can tunnel out on port 80, thereby making it difficult to use port blocking. The bluecoat device also gives you granular control over the use of IM, Webmail and various other FW opening services. If you really wish to control it, this is one of the possible solutions out. Additionally you could install a Checkpoint FW on a Nokia platform for deep packet inspection. The Checkpoint NG-AI systems block a great deal of IM, and P2P services with just a check in the box. If cheap and cheerful is what you wish, try installing Squid with Squidguard on a Linux platform for a nice web-caching and url filter solution. Squidguard will allow you to also stop the P2P issues while giving you the advantage of a webcache engine to help with your outside world link – price free for software, you just need to find some old hw to install it on. Will run very comfortably on an old P2/P3 box for up to around 500 users (in my experience).

Hope this helps.

Cheers,

CatMan