02-01-2012 02:30 AM - edited 03-11-2019 03:22 PM
Hi, does anyone why it is nigh impossible to block bit torrent with the ASA firewall. We have a ASA 5520 running 8.4 IOS.
But (correct me if im wrong) the router based IOS firewall allows this functionality?? Whether CBAC, class maps etc.
02-01-2012 03:49 AM
bitorrent and many others P2P programs are quite smart about not getting blocked using many mechanisms:
- random source and destination ports
- payload encryption
- tunneling/piggybacking on top of HTTP.
- UPNP usage.
It's almost impossible to completly block all P2P activity save for deep packet inspection and looking for patterns.
There are almost no reasoanly effective STATIC mechanisms to block p2p (IPS devices will have some luck with signatures, but may not be able to match patterns if encryption is used).
The most successful block I saw was default deny policy for LAN users + proxying of HTTP/HTTPS :-)
TL;DR Bittorrent is using lots of different tricks to avoid detection. You may be able to block some activity with static methods, but it's trickier to do it completly.
02-02-2012 04:14 AM
I think I was able to effectively block using Service Policy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide