P2P file sharing is a nightmare for any network/security administrator. Bittorrent apps are extremely "sneaky" in the sense that they get around most security measures by using random TCP ports. They can also be used to download content that may be harmful to the enterprise such as malware or copyright protected. If an employee uses bittorrent app and downloads copyright protected media from the internet, it is the company that is held liable and may be penalized for the content downloaded. I have used various methods to block this type of traffic such as ACLs, layer 7 inspection on the firewalls, NBAR discovery however none of these were able to block such traffic 100% of the times.
Cisco came up with NBAR2 or Next Generation NBAR which uses advanced classification techniques to detect such traffic. Using the steps below, I have been able to kill the P2P (with Bittorrent) right in it's path, 99.9% of the times.
Cisco came up with NBAR2 or Next Generation NBAR which uses advanced classification techniques to detect such traffic. Using the steps below, I have been able to kill the P2P (with Bittorrent) right in it's path, 99.9% of the times.
Requirements:
1 . IOS
to software Version 15.4(3)M3 or newer
2 . Latest
NBAR2 package from Cisco that matches the IOS
IOS Used for this document:
c3900e-universalk9-mz.SPA.154-3.M3.bin
NBAR2 Package Name: pp-adv-isrg2-154-3.M2-20-14.0.0.pack
STEP
1: Upgrade the router IOS to the latest version as stated above
STEP
2: Upload NBAR2 package to router’s flash
STEP
3: Install NBAR2 package:
#ip
nbar protocol-pack flash0:pp-adv-isrg2-154-3.M2-20-14.0.0.pack
Confirm the correct NBAR package is
now installed with the following command:
#Show
ip nbar protocol-pack active
Active
Protocol Pack:
Name: Advanced Protocol
Pack
Version: 14.0
Publisher: Cisco Systems Inc.
NBAR Engine
Version: 20
Creation Time: Wed Mar 25 13:17:24 UTC 2015
File:
flash0:pp-adv-isrg2-154-3.M2-20-14.0.0.pack
State: Active
STEP
4: Create a class-map to identify P2P traffic
class-map match-any
P2P-PROTOCOLS
match protocol edonkey
match protocol gnutella
match protocol fasttrack
match protocol kazaa2
match protocol bittorrent
match protocol irc
match protocol bittorrent-networking (VERY IMPORTANT)
match protocol encrypted-bittorrent (VERY
IMPORTANT)
STEP 5: Create a
policy-map for the above class-map
policy-map P2P-DROP
class P2P-PROTOCOLS
drop
STEP 6: Apply the above
policy-map and NBAR protocol discovery to the LAN interface of the router
interface
GigabitEthernet0/1
ip nbar protocol-discovery
service-policy input
P2P-DROP
Peer to Peer file
sharing was successfully blocked following this configuration.
*********Show commands
show ip nbar
protocol-discovery
show ip nbar
protocol-discovery interface <>
show policy-map
interface <name>
This command does not seem to exist on 2900 running 15.4 code. I tried in privileged and config modes. It works on my 3900 series though.
ReplyDeleteThis command does not seem to exist on 2900 running 15.4 code. I tried in privileged and config modes. It works on my 3900 series though.
ReplyDeletematch protocol bittorrent-networking (VERY IMPORTANT)
ReplyDeletematch protocol encrypted-bittorrent (VERY IMPORTANT)
The above commands exist when you have DATAK9 enable in the Router. Can anyone tell if its working on 1900 & 2900 G2 ISR
Secondly, it is very easy to use! Another great thing about using such a specialized site is the easiness to use the site itself. VPN services torrents allowed
ReplyDeleteThis blog helped me to understand the fact that even a simply written article can be best over thousands of other highly qualified no-meaning articles. So always keep in mind that use simple but accurate parameters for your blog.vSphere 6 Enterprise Plus for 1 processor
ReplyDeleteFor all new and existing torrenteers who are on the constant hunt to find a road to safe torrenting – this blog will land them on the right path. A simple solution to all torrenteers problems is a connection to the Best VPN for torrenting. Get yourself a torrent VPN that lets you torrent not only privately, but securely too!
ReplyDelete