Firewall Wizards mailing list archives
Re: stop microsoft p2p
From: Bennett Todd <bet () rahul net>
Date: Thu, 27 Mar 2003 17:49:22 -0500
2003-03-27T08:42:25 Robert E. Martin:
Anyone heard of a device or gizmo that replaces a hub or switch that can stop p2p or microsoft file sharing?
Let's generalize the question: how can you prevent some protocols from working between computers that have network connectivity between each other? There are two categories of answer: you can interpose a blocking device in between, or you can attach a monitoring device that injects packets to disable protocols when it sees them in action (e.g. RST to tear down TCP connections). The first is a firewall, the second is a variety of "intrusion prevention system", recent marketing-buzz spinoff from network intrusion detection systems (NIDS). Let's explore the two possibilities a bit more. The tricky bit with trying to interpose a firewall between any pair of workstations, is that this requires a separate firewall port for each workstation --- and traditionally, firewall ports have been orders of magnitude more expensive than switch ports. This has recently been solved. Switch vendors have tightened up their VLAN and 802.1q trunking implementations so that with careful configuration, you can set up one-vlan-per-port on a switch, and trunk all those vlans to a firewall with 802.1q, giving you firewall ports where you used to have switch ports. Now you can outlaw all direct communication between workstations; only permit them to talk the protocols you want them to, to the servers you want them to be able to access. This is a very appealing approach to a lot of scenarios; besides hardening "intranets" within offices, it's also a superb infrastructure for dealing with transient visitors --- e.g. delivering broadband internet throughout a hotel, or to a cybercafe, or in the computer room at a conference. As for the intrusion prevention system, plug it into your hub or into a span port of your switch, and let it run. For TCP-based protocols, such passive response is straightforward; unless the entire TCP transaction is so tiny it happens in the first data packet (e.g. a typical short http get query), an IPS should be able to disable the connection by injecting an RST before the attack completes. For UDP (or other non-TCP) protocols, things are a bit dicier, since there's no canonical way of turning off services remotely, and there's no "connection" to drop. But maybe some of the ICMP tricks will work. Fortunately, designing robust protocols without the help of TCP is hard enough that few people try; an IPS can carry you a long way. If you want to play with the IPS approach, you could build snort with flexresp enabled and play with that. -Bennett
Attachment:
_bin
Description:
Current thread:
- stop microsoft p2p Robert E. Martin (Mar 27)
- Re: stop microsoft p2p Bennett Todd (Mar 27)
- Re: stop microsoft p2p Julian Gomez (Mar 28)
- Re: stop microsoft p2p Michael LaPane (Mar 28)
- <Possible follow-ups>
- RE: stop microsoft p2p Noonan, Wesley (Mar 27)
- Re: stop microsoft p2p Mark Gumennik (Mar 28)
- RE: stop microsoft p2p Sloane, David (Mar 27)
- RE: stop microsoft p2p Bruce Platt (Mar 28)
- RE: stop microsoft p2p Kessler, Ben (Mar 30)
- Re: stop microsoft p2p Bennett Todd (Mar 27)