BT blocking using ASA

yong khang NG · ‎09-29-2010

Hi Forum People, greeting.

I have an ASA 5510 with SSM CSC, i only using inside interface connect to LAN, outside interface connect to Border Router.

My motive is would like to block user from inside interface using Bit Torrent related application to download anything from outside.

I manage to use SSM CSC to URL Blocking user using broswer to surf any Torrent related website, so user cannot goto Torrent related website to find the seed.

Then now I testing using vuze BT tracker application, it still can able to penetrate and download from other end peer.

I showing the action list I done before:

First, I using MPF to filter the traffic.

regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"

!

object-group service BitTorrent-Tracker tcp

description TCP Ports used by Bit Torrent for tracker communication

port-object eq 2710

port-object eq 6969

!

object-group service Blocked-UDP-Ports udp

description All ports blocked for Bit Torrent UDP DHT

port-object range 10001 65535

port-object range 1024 5554

port-object range 5600 9999

!

access-list DENY-BT extended deny tcp any any object-group BitTorrent-Tracker log warnings

access-list DENY-BT extended deny udp any any object-group Blocked-UDP-Ports log warnings

access-list DENY-BT extended permit tcp any any

access-list DENY-BT extended permit udp any any

access-list DENY-BT extended permit icmp any any echo

!

class-map http_traffic

match port tcp eq www

!

class-map type inspect http match-all bit-torrent-tracker

description Bit Torrent Tracker communication

match request args regex bit-torrent-tracker

match request method get

!

policy-map type inspect http Drop-P2P

description Drop protocol violations Bit Torrent Tracker traffic

parameters

protocol-violation action drop-connection log

class bit-torrent-tracker

drop-connection log

!

policy-map global_policy

class http_traffic

inspect http Drop-P2P

!

service-policy global_policy interface inside

!

access-group DENY-BT out interface inside

attach the snapshot on the ASDM service policy rules

idea needed, i need to kill this vuze to download..

Magnus Mortensen · ‎09-29-2010

Yongkhang,

What do you see if you load wireshark on your computer and then launch vuze? What TCP/UDP/Etc connections are made by the application that are not yet blocked? Make sure you close any other programs so the only network activity is from the VUZE application on your computer. Once you identify what ports/protocols VUZE uses, then you can proceed to ACL them off.

- Magnus

yong khang NG · ‎09-30-2010

Hi Magnus,

Thanks for the advice. as i strengthen the ACL rule, with wider range of UDP port-range from 10000-65535. Traffic is tear down and after certain period, the transaction time out and can't success donwload.

Just have few more thing to check with you.

Q1. is it possible ASA to scan encrypted traffic?

thank

Panos Kampanakis · ‎10-01-2010

Unfortunatelly the ASA cannot inspect https or encrypted traffic because we would not be able to look into the messages since they are encrypted.

I hope it makes sense.

PK