blocking certain application / protocol traffic

Unanswered Question
Oct 22nd, 2007
User Badges:

I have started tinkering with SDM and noticed that it has a feature for Netflow and Application/Protocol Traffic displays. I have been using my internet router as the test subject. I noticed that there appears to have been traffic such as edonkey, quntella and vdolive applications the router had detected. Is there a way I can narrow down the useage of this traffic or block it on the rotuer? I am running a feature set that allows firewall and IPS on the router?


Would it be better to block this traffic before it on the 4506 before it hits the PIX and the router or simply block it on the router? I am thinking the router would be better because of the difference in processing power and the like.


Does the IPS feature set on the router work in an inline mode that I could use to block or manage the unwanted traffic?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Tue, 10/23/2007 - 07:00
User Badges:
  • Bronze, 100 points or more

You don't need IPS, it is much easier to use NBAR on your outside router (or any router between the source host and the Internet connection). NBAR can match specifically on p2p connections and can either be dropped completely or rate-limited.


A sample IOS-router NBAR configuration to drop gnutella packets:


class-map match-any p2p

match protocol gnutella file-transfer *


policy-map block-p2p

class p2p

drop

Actions

This Discussion