Re: stop microsoft p2p

[Bennett Todd <bet () rahul net>]

2003-03-27T08:42:25 Robert E. Martin:
> Anyone heard of a device or gizmo that replaces a hub or switch
> that can stop p2p or microsoft file sharing?

Let's generalize the question: how can you prevent some protocols
from working between computers that have network connectivity
between each other?

There are two categories of answer: you can interpose a blocking
device in between, or you can attach a monitoring device that
injects packets to disable protocols when it sees them in action
(e.g. RST to tear down TCP connections). The first is a firewall,
the second is a variety of "intrusion prevention system", recent
marketing-buzz spinoff from network intrusion detection systems
(NIDS).

Let's explore the two possibilities a bit more.

The tricky bit with trying to interpose a firewall between any pair
of workstations, is that this requires a separate firewall port
for each workstation --- and traditionally, firewall ports have
been orders of magnitude more expensive than switch ports. This
has recently been solved. Switch vendors have tightened up their
VLAN and 802.1q trunking implementations so that with careful
configuration, you can set up one-vlan-per-port on a switch, and
trunk all those vlans to a firewall with 802.1q, giving you firewall
ports where you used to have switch ports. Now you can outlaw all
direct communication between workstations; only permit them to talk
the protocols you want them to, to the servers you want them to
be able to access. This is a very appealing approach to a lot of
scenarios; besides hardening "intranets" within offices, it's also a
superb infrastructure for dealing with transient visitors --- e.g.
delivering broadband internet throughout a hotel, or to a cybercafe,
or in the computer room at a conference.

As for the intrusion prevention system, plug it into your hub or
into a span port of your switch, and let it run. For TCP-based
protocols, such passive response is straightforward; unless the
entire TCP transaction is so tiny it happens in the first data
packet (e.g. a typical short http get query), an IPS should be able
to disable the connection by injecting an RST before the attack
completes. For UDP (or other non-TCP) protocols, things are a bit
dicier, since there's no canonical way of turning off services
remotely, and there's no "connection" to drop. But maybe some of
the ICMP tricks will work. Fortunately, designing robust protocols
without the help of TCP is hard enough that few people try; an IPS
can carry you a long way.

If you want to play with the IPS approach, you could build snort
with flexresp enabled and play with that.

-Bennett

Attachment: _bin
Description: