Kick file-sharing apps off your network in four steps
Peer-to-peer (P2P) software is an escalating technology: Kazaa Media Desktop is currently the most popular download on CNET Download.com. It's been ranked on the Most Popular chart for 57 weeks and was recently downloaded almost 3 million times in a single week. Other popular P2P downloads include iMesh, Morpheus, and Grokster.
Of course these programs, and others like them, are a security concern for any corporate network. P2P programs can introduce many network threats when they are running on your company's desktop systems. When P2P software is used, copyright laws and policy issues are violated, and the potential for viruses, Trojans, sabotage, and theft increases, not to mention bandwidth consumption concerns.
To defend your network against P2P, you need to take these actions:
- Implement a P2P policy.
- Educate end users and management.
- Stop new hosts from downloading the software.
- Stop existing P2P activity on your network.
When a network is at risk, your first step should be writing and implementing a policy to defend it. P2P policies should address:
- Acceptable use of the network.
- Downloading third-party software.
- Intellectual property theft (copyright infringements).
Educate your users and management
For a policy to be effective, education must occur at both the user and management levels. Educate everyone about the risks they introduce to the network when they download and use P2P applications. Explain that users not only affect their own productivity with these programs but that using P2P applications endangers the entire network. The network becomes less responsive due to the bandwidth used by P2P applications. And downloads can potentially carry viruses or a Trojan that could compromise valuable data.
In addition, make users aware that law enforcement agencies may track their use of P2P applications and that they could be prosecuted for theft of intellectual property if they are found to possess stolen music or cracked software.
Eliminate the clients
To stop users from installing P2P software, restrict software installation permissions to a trusted group of administrators or support personnel. If a user needs software installed, push it remotely or have support install it on site. Maintain a strong configuration management program and keep track of both the network's baseline and which clients have additional software loaded on their systems.
You should also invest in software that regularly performs audits on the network. With such software, you can collect the audited information in a centralized database, which shows who has P2P applications installed, and indicates any other unauthorized software and music users may have.
Several excellent software audit tools are currently available on the market. GASP from Attest Systems is one of my favorites. It audits and tracks software from a central location, and it can identify 99.9 percent of all software running on a variety of clients and server operating systems.
Kill the packets
After you've developed a policy, educated your user base, and cleaned your clients of existing P2P applications, you'll want to kill inbound/outbound P2P packets at the network level. At your border router, create a method to identify and drop the offensive traffic.
The following example demonstrates how to configure a Cisco router to kill P2P packets:
Config t [enter configuration mode]
Ip cef [enable Cisco Express Forwarding]
Interface fa 0/0 [enter interface configuration mode]
Ip nbar protocol-discovery [enable nbar protocol-discovery]
End [exit configuration mode]
This action enables Cisco Express Forwarding (CEF) and network-based application recognition (NBAR). Now you're ready to stop the packets by assigning a differentiated services code point (DSCP) to the offending packets and drop them via an access list:
ip cef
class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol napster
match protocol httpurl? "\.hash=*"
match protocol httpurl? "\.hash=*"
match protocol kazaa2
!
policy-map p2p
class p2p
set ip dscp 1
This configuration assigns a priority mark to the defined protocols and allows you to filter packets that have been assigned to "dscp 1." Next, add the following access list to both your incoming and outgoing router interfaces:
interface FastEthernet 0/0
access-list 100 deny ip any any dscp 1 log
access-list 100 permit ip any any
This configuration will block most P2P applications and eliminate Kazaa's ability to port hop and utilize port 80.
You can also stop P2P traffic at the application level, before the packets reach the clients. Packeteer's PacketShaper is one application-intelligent traffic management solution that provides Layer 7 control over your network. PacketShaper will block offensive traffic, URLs, and a lot more. It can also identify and block music and movie downloads from P2P applications that would result in violations of copyright laws.
Final thoughts
P2P applications are a security nightmare for any corporate network. To eliminate this threat, implement the kind of defense in-depth solution I have outlined here and rid your network of these nonproductive, bandwidth-hogging applications.
TechRepublic originally published this article on 3 September 2003.