0

Given a public WiFi hotspot behind an ISA Sever and a single Internet address, which rules or content filters would be useful to achieve this configuration?

  • Allow anonymous users to surf the web, chat over IM, and connect to their different workplace VPNs

  • Restrict Bittorrent and other P2P clients from attracting the attention of MediaSentry and others.

What sort of tests will show if an ISA firewall policy is sufficient? For example, with the uTorrent client, you can configure the port used (for incoming connections?), so will changing to port 80 show you if P2P traffic is getting through?

The top P2P networks appear to be Bittorrent, DC++, eDonkey and Usenet.

nray
  • 1,540
  • 17
  • 23
  • I'd say it would be easier to block MediaSentry et al. than to block p2p. Also, from an user point of view, much more sensible approach. Just my personal opinion, though. – Kimvais Mar 24 '10 at 07:04
  • @Kimvais I'm assuming the aim of this is to stop user downloading torrents, not just to stop them getting caught. – Sam Cogan Mar 24 '10 at 09:30
  • 1
    @Kimvais @Sam Cogan - Kimvais has a point in that the threat is actually the attention from outside. One needs to make best efforts to restrict the use of P2P, but the threat doesn't go away untill MediaSentry et. al. can no longer detect the external IP address as seeding material. – nray Mar 24 '10 at 10:22

3 Answers3

3

Blocking p2p could be more of a hinder than help. Look into blocking specific Trackers or nodes rather than try to block the ports from your users.

  • Blocking P2P is exactly what we need to do. Like alot of system administration, the devil is in the details, but identifying and allowing desired traffic is what ISA server policy is about, to some extent. – nray Apr 27 '10 at 10:40
  • Blocking specific nodes or trackers is a bit like identifying viruses with signature files - there's a constant need for updating, and how do you know you're blocking the right ones? There's lots of good discussion in the forums on slyck.com about whether Peer Guardian-style blocklists are enough. – nray Apr 27 '10 at 10:48
1

You can use a signature match, for example, "application/x-bittorrent" (see here) to block the download of .torrent files - not a total solution, but at least a start.

You can also remove/block tracker sites from DNS - OpenDNS for instance will allow you to block torrent sites or you can just make your own list. Torrent clients may use DNS to contact trackers so blocking it will make a bit of difference. Again its not total solution as torrent files might use IP addresses, users may set entries in their hosts file and distributed technologies like DHT will circumvent it.

Jon Rhoades
  • 4,989
  • 3
  • 30
  • 47
  • The threat is mainly from the continued sharing of files _after_ the initial .torrent download, so this would stop someone from starting a new torrent, but not from continuing to share something started on another network. – nray May 14 '10 at 10:41
  • Thanks for the tip on OpenDNS, as it would be possible to restrict DNS traffic from the public WiFi network to OpenDNS with blocking enabled - I'm going to follow this up. – nray May 14 '10 at 10:43
-2

WiFi hotspot Internet access rule

Allow only the following protocols from the WiFi network to the Internet, deny everything else.

Surf the web

  • DNS
  • HTTP
  • HTTPS

Check Email

  • POP3
  • IMAP4
  • IMAP5

Chat over IM

  • ICQ
  • MSN Messenger
  • IRC

Work over VPN

  • IKE Client
  • PPTP
  • L2TP Client
  • IPSec NAT-T Client
  • (User-defined) Cisco VPN : Port 10000 UDP/TCP
  • SSH

User-defined protocol "Cisco VPN"

Create a new protocol to allow Cisco IPSec VPN connections:
Port 10000 UDP
Port 10000 TCP

nray
  • 1,540
  • 17
  • 23
  • That won't do what you're after simply because P2P can run over any port. – John Gardeniers Mar 24 '10 at 12:05
  • @John Gardeniers - So could you define content filters which would restrict a given port to something like its intended traffic? – nray Mar 24 '10 at 12:52
  • 2
    Trying to prevent P2P is at best a losing battle. The only thing that will come close to your objective is to do as Kimvais says and block those IP addresses you want to keep out, such as those belonging to MediaSentry. You may want to look into making use of something like PeerBlock (http://www.peerblock.com). I can't see why it wouldn't work if run on the ISA box, even though it's normally run on the client machine. – John Gardeniers Mar 24 '10 at 13:48
  • During testing with uTorrent these rules blocked P2P traffic, even when configured to use one of the allowed ports. – nray Apr 27 '10 at 10:50