RE: [ISSForum] P2P applications and IDS/IPS

[Timoteo Menezes]

Title: Message

Hi all…   We also implemented such a packet shaping solution (Packeteshaper) in a university campus and we could reduce the p2p traffic to minimum optimizing critical traffic! This because Packetshaper is currently the best layer 7 analyser/sniffer/shaping solution I know and his very good at classifying traffic/applications.   BTW Jeffrey about the congestion you can build a policy with packetshaper giving priorities to traffic and as you may know and with partitions you can guarantee mission-critical traffic data always get a defined amount of bandwith (sure we have to have a good design and we have to have some considerations about udp traffic, but is feasable).   For non-critical traffic data like p2p, one just need to create a policy with a partition of (lets say) 64 kbps ;-) with best effort or even reduce it to a minimum that will pratical be almost like a drop ;-)  (yes, but isn’t a fw, I know!)   Overall, the solution meet & exceeded the customer needs!   Just my 10c Cheers,   Timoteo Menezes ParaRede, Electronic Business Solutions eSecurity Business Unit [EMAIL PROTECTED] * www.pararede.com     -----Original Message----- From: Jeffrey Kok Chew Mun [mailto:[EMAIL PROTECTED]] To: Beker Eli; [EMAIL PROTECTED] Subject: RE: [ISSForum] P2P applications and IDS/IPS   Hi,   We stumbled onto a traffic shaping device called Packetshaper from Packeteer which did a pretty good job in classifying traffic based on applications (instead of ports). What we did was to deny or limit traffic coming from undesirable applications like Kazaa, Gnutella, iMesh, etc. In fact, it did a pretty good job in filtering nimda and codered as well. Since the deployment of the Packetshaper, we have had almost zero complaints about copyright issues and all.   This worked very well for our campus but there are some limitations though. A traffic shaping devices isn't built like a FW. In case of congestion, the traffic shaping devices will pass traffic instead of drop which is the opposite of a FW which will drop traffic.   Hope this helps.   cheers, Jeffrey Kok National University of Singapore -----Original Message----- From: Beker Eli [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 5:35 PM Subject: [ISSForum] P2P applications and IDS/IPS Hi, Lately we are facing more and more P2P applications, exposing the corporate internal networks to unknown external access. some of the applications require a detailed installation with username and passwds, like GoToMyPC https://www.gotomypc.com/ and ViAir WirelessInbox http://www.viair.com/products_WI.htm but there might be some, that probably run out of the box, like Kazza and others. The common denominator of all those programs are they use well known open ports on the corporate firewall, such as http, https or ftp. they automatically switch between the ports to find an open one. and some of them can even pass proxy servers. This is not new to the security community, we all remember the famous ping tunneling, ssh, https and http tunneling where the idea is almost the same. the difference, which doesn't make it better, was that internal users did in purpose to their systems outside the network. and today's applications, are using a 3ed unauthorized party "Broker" to set the connection. I believe that a strict corporate policy should eliminate part of the problem, but still we've to stand guard and catch the security violators. I would like to hear what you are doing and what can be done to mitigate this problem? maybe adding another section to RS, like back doors, for P2P applications? Regards, Eli Beker Comverse