Comments on: How to universally disallow P2P?

Question: How to universally disallow P2P?

Afroblanco — Fri, 06 Jan 2006 13:11:56 -0800

Is there any easy way to universally disallow P2P traffic on an office lan?

Part of my job involves administering the office LAN. I want to make sure that nobody on the network can run any sort of P2P. This includes "secure" P2P such as Hamachi.

When I say an easy way, I mean easy. If there's a program that I can install, that would be great. I would rather not delve into server internals or router/firewall configurations.

If there is no easy way to block P2P traffic, I would be just as happy with a tool that could diagnose P2P traffic.

Network information -
Windows and Mac OSX boxes
Servers are Win2K
Using a Tasman router and Pix 501 firewall

By: hattifattener

hattifattener — Fri, 06 Jan 2006 13:20:19 -0800

Can you even define P2P traffic in a concrete way?

My guess is that the best you could do is set up firewall rules to block known protocols that you disapprove of, and keep updating that list as the set of popular protocols changes.

By: shepd

shepd — Fri, 06 Jan 2006 13:25:05 -0800

Well, the "easy" way would be to install a proxy server and disallow all internet access that doesn't go through it. Then you can use the proxy server's configs to adjust it to only allow certain accepted traffic through it. With a *LOT* of effort, someone might be able to tunnel through the thing, or get it to support some kind of P2P, but that level of user knows that what they're doing is wrong, and should be fired. :-)

Of course, this will be extremely limiting to what applications will support internet access (because they have to have proxy server support), so it might not be an option.

By: k8t

k8t — Fri, 06 Jan 2006 13:30:20 -0800

At my old office, we had a packet shaper (packeteer?) that allowed blocking of apps -- and you could click "all p2p traffic."

We set videoconferencing as the number 1 priority, then email, then http, etc. etc.

As soon as it was turned on, people were angry!

But I'd say, "So the head of HR is trying to have a videoconference and it is all fuzzy and choppy because you want to stream porn?"

By: klangklangston

klangklangston — Fri, 06 Jan 2006 13:43:10 -0800

Afroblanco: I always thought that the easy way WAS to mess with router settings. I've had a couple of Linksys routers that I installed where the default was to block p2p traffic by way of IP masking. I had to disable that in order to use p2p and torrents.

By: nkyad

nkyad — Fri, 06 Jan 2006 14:05:23 -0800

Maybe you can setup the users permissions so that they can't install anything. That would be easier but if there too many users and not enough support personnel you end up with a mutiny.

But I agree the best and easiest way to do something about it is configuring the firewall/router to allow only some kinds of traffic. You see, if your job "involves administering the office LAN" you will eventually have to "delve into server internals or router/firewall configurations". The sooner the better.

And just a reminder: P2P, specially torrents, are becoming more and more common as a distribution channel for legitimate applications. In the end, this problem will have to be solved at another level (human resources and office rules) because the technology will be needed. The same way people know they can't go visiting porn sites at work, they will know they can't go downloading porn or music at work.

By: voidcontext

voidcontext — Fri, 06 Jan 2006 14:07:20 -0800

Are you set up as a domain or as a workgroup?

By: poppo

poppo — Fri, 06 Jan 2006 14:57:37 -0800

I'm with nykad, just clean their PCs up and don't let them install anything.

By: Afroblanco

Afroblanco — Fri, 06 Jan 2006 15:15:04 -0800

Thank you all for your suggestions thus far.

voidcontext - we are set up as a domain

nkyad - You see, if your job "involves administering the office LAN" you will eventually have to "delve into server internals or router/firewall configurations".

LAN administration is really only a small part of my job. Blocking P2P traffic isn't an urgent matter, but it's something that I would like to do if there is a quick and easy solution.

In the end, this problem will have to be solved at another level (human resources and office rules) because the technology will be needed.

Good point. This is another reason why it would be just as good if I could diagnose P2P traffic. I could keep the diagnostic tool running, and check the logs every so often, approaching users on a case-by-case basis.

Does anybody know of such a tool?

By: formless

formless — Fri, 06 Jan 2006 16:23:51 -0800

If you're looking to detect P2P traffic, or any other naughty traffic, one method is with an Intrusion Detection System. Snort is a popular one. But it's going to involve setup and administration. And you'll need to determine what rules to enable and really what you want your companies network security policy to be.

Even though they're called intrusion detection systems, most of them will also detect anomalous outgoing traffic.

But this wouldn't really be an easy solution. If you're looking for an easy solution, hire somebody to come in and clamp down your firewall and maybe outsource intrusion detection.

By: nickerbocker

nickerbocker — Fri, 06 Jan 2006 17:33:47 -0800

I'm not really sure how to offer a better answer then what anyone else has already offered. I do, however, have some advice.

Be open and honest with your users from the get go about the whole thing. I was surprised how many of my users really had a false since of privacy when it came to their work computers. They need to know that since you are the administrator, everything they do and store on their work computers is accessible to you. That sort of privilege (and responsibility) is part of the job title.

Also make it clear that you aren't going to waist your time playing big-brother to your fellow employees, but something like a P2P application is going to stir your interest. As well as burning company hours all day on some web site.

That way if you do have to come down on a user they don't get upset when they "feel like their privacy has been invaded."

Speaking from personal experience here.

By: nkyad

nkyad — Fri, 06 Jan 2006 18:10:17 -0800

nickerbocker : "As well as burning company hours all day on some web site."

With the added benefit of scaring your fellow workers away from the said web site, so you can keep burning your company hours here. There you are, your bonus answer, BOFH 101.

By: RikiTikiTavi

RikiTikiTavi — Fri, 06 Jan 2006 21:15:08 -0800

I second the PacketShaper. It's designed for that, and does an excellent job of distinguishing P2P from other stuff.

By: ph00dz

ph00dz — Sat, 07 Jan 2006 07:14:06 -0800

If you're looking for something free, ethereal will do a pretty good job of showing all the activity on your network. I bet it'd run great under OS X.

By: caution live frogs

caution live frogs — Sat, 07 Jan 2006 11:02:13 -0800

I think that a candid approach to the emplyees is the first step here. Knowing how frustrating it is to have to clean up a badly infected system - and also knowing as an end user how frustrating it is to be locked out of making changes to the computer I use daily - I think that personal intervention can go a long way as a first step.

If you simply lock down all the machines people will find a way around it (sure I can't install this program locally, but I can run it off of my thumb drive...). If you leave the machines open and set up complicated filtering rules you're going to piss off people who have some favorite program or other blocked at the level of the server. If you explaion what the issue is first, and then set up a combination of the two (milder lockdown, less restrictive filter rules) you might be able to find a happy medium. Plus, you have a documented session in which yoiu have explained to everyone what is and is not acceptable use of the network. Makes it easier to reprimand abusers if necessary.

By: vanoakenfold

vanoakenfold — Sat, 07 Jan 2006 12:21:36 -0800

Isn't the concept of a LAN and P2P transactions pretty much the same thing? Easiest way (you didn't say smartest) would be to disconnect the LAN altogether or fire everyone ;-P

By: Afroblanco

Afroblanco — Sat, 07 Jan 2006 20:42:34 -0800

Thanks for the help, guys. I'm going to have to look into ethereal. Packeteer looks good, but it seems like somewhat of a heavy-duty solution for my purposes.

PS - thanks for the BOFH links, nkyad! They made me laugh.