Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can i block the new limewire with tls using an ASA or IDS/IPS

or even the edge router?

8 REPLIES

Re: Can i block the new limewire with tls using an ASA or IDS/IP

With the ASA you can block using the MPF. Here's a config example for blocking P2P.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

Re: Can i block the new limewire with tls using an ASA or IDS/IP

Thinking about this some more, you can also block at your edge router using NBAR. Depending on your traffic levels and the router platform, that may not be feasible.

New Member

Re: Can i block the new limewire with tls using an ASA or IDS/IP

I'm not sure that the pix will block the tls encrypted traffic.(limewire/gnutella) Any suggestions for that?

Re: Can i block the new limewire with tls using an ASA or IDS/IP

It's encrypted?

New Member

Re: Can i block the new limewire with tls using an ASA or IDS/IP

Thats what they are reporting.

"Though the NIO Socket tutorial showed you how to connect to sockets and non-blocking transmit data across channels, you might want more security in the socket connections. Transport Layer Security, TLS, (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) which provides secure communications on the Internet for data transfers is represented in the LimeWire NIO via the TLSNIOSocket class. "

Re: Can i block the new limewire with tls using an ASA or IDS/IP

Wow if it's encrypted at the Transport layer, there isn't much you can do. Does the application query limewire.com to get the seeders info? Maybe a packet capture will help in determining what the app initially does so you can block it.

Cisco Employee

Re: Can i block the new limewire with tls using an ASA or IDS/IP

I'm not about to start speaking for the signature team here at Cisco, but you can "sometimes" do something with encrypted data. Cisco IPS has had (technically still does) signatures that are based on traditional cryptographic traffic analysis. A packet capture is the place to start...preferrably under controlled conditions so that you can positively eliminate "other" traffic. In fact, a bunch of packet captures are usually better. Comparing all the captures, you have to look for patterns and trends. Things like predictable packet contents at certain offsets and packet exchange series of intermediate length, say 5 or 6 in each direction, for which there is some repeatable characteristic across all of the packet captures.

Lets say you find something, then what? Depending on what you find, you can write a series of Atomic IP or Multistring, or String TCP (to name the top 3) signatures and combine them using one or two layers of Meta. You might also be able to write a Service Generic signature (I wouldn't try this without Cisco's signature team's help). Ultimately, Cisco could hard code a signature into P2P (thats what that engine is for) that would directly process packets.

I realize this doesn't provide an answer to the topic's thread, but I thought I'd let you know that encryption doesn't automatically equate to impossible. It might, it might not...depends on how clever each side is ;-)

Scott Cothrell

Cisco IPS Dev.

Re: Can i block the new limewire with tls using an ASA or IDS/IP

Good to know Scott, thanks. I guess I was looking at it more from the firewall/router side as I'm still working on my IDS knowledge.

367
Views
0
Helpful
8
Replies