How to universally disallow P2P?
January 6, 2006 1:11 PM Subscribe
Is there any easy way to universally disallow P2P traffic on an office lan?
Part of my job involves administering the office LAN. I want to make sure that nobody on the network can run any sort of P2P. This includes "secure" P2P such as Hamachi.
When I say an easy way, I mean easy. If there's a program that I can install, that would be great. I would rather not delve into server internals or router/firewall configurations.
If there is no easy way to block P2P traffic, I would be just as happy with a tool that could diagnose P2P traffic.
Network information -
Windows and Mac OSX boxes
Servers are Win2K
Using a Tasman router and Pix 501 firewall
Part of my job involves administering the office LAN. I want to make sure that nobody on the network can run any sort of P2P. This includes "secure" P2P such as Hamachi.
When I say an easy way, I mean easy. If there's a program that I can install, that would be great. I would rather not delve into server internals or router/firewall configurations.
If there is no easy way to block P2P traffic, I would be just as happy with a tool that could diagnose P2P traffic.
Network information -
Windows and Mac OSX boxes
Servers are Win2K
Using a Tasman router and Pix 501 firewall
Well, the "easy" way would be to install a proxy server and disallow all internet access that doesn't go through it. Then you can use the proxy server's configs to adjust it to only allow certain accepted traffic through it. With a *LOT* of effort, someone might be able to tunnel through the thing, or get it to support some kind of P2P, but that level of user knows that what they're doing is wrong, and should be fired. :-)
Of course, this will be extremely limiting to what applications will support internet access (because they have to have proxy server support), so it might not be an option.
posted by shepd at 1:25 PM on January 6, 2006
Of course, this will be extremely limiting to what applications will support internet access (because they have to have proxy server support), so it might not be an option.
posted by shepd at 1:25 PM on January 6, 2006
At my old office, we had a packet shaper (packeteer?) that allowed blocking of apps -- and you could click "all p2p traffic."
We set videoconferencing as the number 1 priority, then email, then http, etc. etc.
As soon as it was turned on, people were angry!
But I'd say, "So the head of HR is trying to have a videoconference and it is all fuzzy and choppy because you want to stream porn?"
posted by k8t at 1:30 PM on January 6, 2006
We set videoconferencing as the number 1 priority, then email, then http, etc. etc.
As soon as it was turned on, people were angry!
But I'd say, "So the head of HR is trying to have a videoconference and it is all fuzzy and choppy because you want to stream porn?"
posted by k8t at 1:30 PM on January 6, 2006
Afroblanco: I always thought that the easy way WAS to mess with router settings. I've had a couple of Linksys routers that I installed where the default was to block p2p traffic by way of IP masking. I had to disable that in order to use p2p and torrents.
posted by klangklangston at 1:43 PM on January 6, 2006
posted by klangklangston at 1:43 PM on January 6, 2006
Maybe you can setup the users permissions so that they can't install anything. That would be easier but if there too many users and not enough support personnel you end up with a mutiny.
But I agree the best and easiest way to do something about it is configuring the firewall/router to allow only some kinds of traffic. You see, if your job "involves administering the office LAN" you will eventually have to "delve into server internals or router/firewall configurations". The sooner the better.
And just a reminder: P2P, specially torrents, are becoming more and more common as a distribution channel for legitimate applications. In the end, this problem will have to be solved at another level (human resources and office rules) because the technology will be needed. The same way people know they can't go visiting porn sites at work, they will know they can't go downloading porn or music at work.
posted by nkyad at 2:05 PM on January 6, 2006
But I agree the best and easiest way to do something about it is configuring the firewall/router to allow only some kinds of traffic. You see, if your job "involves administering the office LAN" you will eventually have to "delve into server internals or router/firewall configurations". The sooner the better.
And just a reminder: P2P, specially torrents, are becoming more and more common as a distribution channel for legitimate applications. In the end, this problem will have to be solved at another level (human resources and office rules) because the technology will be needed. The same way people know they can't go visiting porn sites at work, they will know they can't go downloading porn or music at work.
posted by nkyad at 2:05 PM on January 6, 2006
Are you set up as a domain or as a workgroup?
posted by voidcontext at 2:07 PM on January 6, 2006
posted by voidcontext at 2:07 PM on January 6, 2006
I'm with nykad, just clean their PCs up and don't let them install anything.
posted by poppo at 2:57 PM on January 6, 2006
posted by poppo at 2:57 PM on January 6, 2006
Response by poster: Thank you all for your suggestions thus far.
voidcontext - we are set up as a domain
nkyad - You see, if your job "involves administering the office LAN" you will eventually have to "delve into server internals or router/firewall configurations".
LAN administration is really only a small part of my job. Blocking P2P traffic isn't an urgent matter, but it's something that I would like to do if there is a quick and easy solution.
In the end, this problem will have to be solved at another level (human resources and office rules) because the technology will be needed.
Good point. This is another reason why it would be just as good if I could diagnose P2P traffic. I could keep the diagnostic tool running, and check the logs every so often, approaching users on a case-by-case basis.
Does anybody know of such a tool?
posted by Afroblanco at 3:15 PM on January 6, 2006
voidcontext - we are set up as a domain
nkyad - You see, if your job "involves administering the office LAN" you will eventually have to "delve into server internals or router/firewall configurations".
LAN administration is really only a small part of my job. Blocking P2P traffic isn't an urgent matter, but it's something that I would like to do if there is a quick and easy solution.
In the end, this problem will have to be solved at another level (human resources and office rules) because the technology will be needed.
Good point. This is another reason why it would be just as good if I could diagnose P2P traffic. I could keep the diagnostic tool running, and check the logs every so often, approaching users on a case-by-case basis.
Does anybody know of such a tool?
posted by Afroblanco at 3:15 PM on January 6, 2006
If you're looking to detect P2P traffic, or any other naughty traffic, one method is with an Intrusion Detection System. Snort is a popular one. But it's going to involve setup and administration. And you'll need to determine what rules to enable and really what you want your companies network security policy to be.
Even though they're called intrusion detection systems, most of them will also detect anomalous outgoing traffic.
But this wouldn't really be an easy solution. If you're looking for an easy solution, hire somebody to come in and clamp down your firewall and maybe outsource intrusion detection.
posted by formless at 4:23 PM on January 6, 2006
Even though they're called intrusion detection systems, most of them will also detect anomalous outgoing traffic.
But this wouldn't really be an easy solution. If you're looking for an easy solution, hire somebody to come in and clamp down your firewall and maybe outsource intrusion detection.
posted by formless at 4:23 PM on January 6, 2006
Best answer: I'm not really sure how to offer a better answer then what anyone else has already offered. I do, however, have some advice.
Be open and honest with your users from the get go about the whole thing. I was surprised how many of my users really had a false since of privacy when it came to their work computers. They need to know that since you are the administrator, everything they do and store on their work computers is accessible to you. That sort of privilege (and responsibility) is part of the job title.
Also make it clear that you aren't going to waist your time playing big-brother to your fellow employees, but something like a P2P application is going to stir your interest. As well as burning company hours all day on some web site.
That way if you do have to come down on a user they don't get upset when they "feel like their privacy has been invaded."
Speaking from personal experience here.
posted by nickerbocker at 5:33 PM on January 6, 2006
Be open and honest with your users from the get go about the whole thing. I was surprised how many of my users really had a false since of privacy when it came to their work computers. They need to know that since you are the administrator, everything they do and store on their work computers is accessible to you. That sort of privilege (and responsibility) is part of the job title.
Also make it clear that you aren't going to waist your time playing big-brother to your fellow employees, but something like a P2P application is going to stir your interest. As well as burning company hours all day on some web site.
That way if you do have to come down on a user they don't get upset when they "feel like their privacy has been invaded."
Speaking from personal experience here.
posted by nickerbocker at 5:33 PM on January 6, 2006
Best answer: nickerbocker : "As well as burning company hours all day on some web site."
With the added benefit of scaring your fellow workers away from the said web site, so you can keep burning your company hours here. There you are, your bonus answer, BOFH 101.
posted by nkyad at 6:10 PM on January 6, 2006
With the added benefit of scaring your fellow workers away from the said web site, so you can keep burning your company hours here. There you are, your bonus answer, BOFH 101.
posted by nkyad at 6:10 PM on January 6, 2006
I second the PacketShaper. It's designed for that, and does an excellent job of distinguishing P2P from other stuff.
posted by RikiTikiTavi at 9:15 PM on January 6, 2006
posted by RikiTikiTavi at 9:15 PM on January 6, 2006
Best answer: If you're looking for something free, ethereal will do a pretty good job of showing all the activity on your network. I bet it'd run great under OS X.
posted by ph00dz at 7:14 AM on January 7, 2006
posted by ph00dz at 7:14 AM on January 7, 2006
Best answer: I think that a candid approach to the emplyees is the first step here. Knowing how frustrating it is to have to clean up a badly infected system - and also knowing as an end user how frustrating it is to be locked out of making changes to the computer I use daily - I think that personal intervention can go a long way as a first step.
If you simply lock down all the machines people will find a way around it (sure I can't install this program locally, but I can run it off of my thumb drive...). If you leave the machines open and set up complicated filtering rules you're going to piss off people who have some favorite program or other blocked at the level of the server. If you explaion what the issue is first, and then set up a combination of the two (milder lockdown, less restrictive filter rules) you might be able to find a happy medium. Plus, you have a documented session in which yoiu have explained to everyone what is and is not acceptable use of the network. Makes it easier to reprimand abusers if necessary.
posted by caution live frogs at 11:02 AM on January 7, 2006
If you simply lock down all the machines people will find a way around it (sure I can't install this program locally, but I can run it off of my thumb drive...). If you leave the machines open and set up complicated filtering rules you're going to piss off people who have some favorite program or other blocked at the level of the server. If you explaion what the issue is first, and then set up a combination of the two (milder lockdown, less restrictive filter rules) you might be able to find a happy medium. Plus, you have a documented session in which yoiu have explained to everyone what is and is not acceptable use of the network. Makes it easier to reprimand abusers if necessary.
posted by caution live frogs at 11:02 AM on January 7, 2006
Isn't the concept of a LAN and P2P transactions pretty much the same thing? Easiest way (you didn't say smartest) would be to disconnect the LAN altogether or fire everyone ;-P
posted by vanoakenfold at 12:21 PM on January 7, 2006
posted by vanoakenfold at 12:21 PM on January 7, 2006
Response by poster: Thanks for the help, guys. I'm going to have to look into ethereal. Packeteer looks good, but it seems like somewhat of a heavy-duty solution for my purposes.
PS - thanks for the BOFH links, nkyad! They made me laugh.
posted by Afroblanco at 8:42 PM on January 7, 2006
PS - thanks for the BOFH links, nkyad! They made me laugh.
posted by Afroblanco at 8:42 PM on January 7, 2006
This thread is closed to new comments.
My guess is that the best you could do is set up firewall rules to block known protocols that you disapprove of, and keep updating that list as the set of popular protocols changes.
posted by hattifattener at 1:20 PM on January 6, 2006