Cutting P2P off at the knees

Although we have a network policy of not allowing peer-to-peer apps, we keep finding them on the network – and they are taking bandwidth away from other applications that need to use the bandwidth.  What are our options to controlling or keeping these applications at bay? — Via the internet

Although we have a network policy of not allowing peer-to-peer apps, we keep finding them on the network – and they are taking bandwidth away from other applications that need to use the bandwidth.  What are our options to controlling or keeping these applications at bay?

— Via the internet

You are not alone with this problem.  There are several ways that you can control it, each with its own pros and cons.  After looking over the options below, you might even decided to try a couple, which would give you a measure of fault tolerance – if one doesn’t work, the other might.

One approach would be to try to bring some control to your bandwidth usage, through a device called a PacketShaper from Packeteer.  This device sits transparently on your network (typically, directly behind your firewall). 

The PacketShaper looks at the traffic on the network and categorizes it based on the signatures or activity that it finds.  As the traffic gets categorized, you can decide whether to allow it, allow it only at certain traffic levels or discard the traffic all together.  As with just about anything, the usefullness of the PacketShaper is only as good as the firmware installed on the box, so you will want to make sure that you keep the firmware up to date.

If you have a Cisco router on your network, you can also look at something called NBAR. NBAR, short for Network Based Application Recognition, allows you to block applications at the router from either leaving or entering your network.  While not manageable from a GUI, as is the Packetshaper, you do at least have an option of having some degree of control.  There are additional modules that you will have to copy to the flash memory on the router and add some additional configuration commands to the router configuration so that it can do some additional work for you. 

Before jumping on this bandwagon, check your router to see how much of the flash and DRAM memory is being used at this point as you may need to add some more of one or the other to successfully implement NBAR.  See the Cisco Web site or place a call to TAC for more information on how to set this up.

The last option I can suggest is to look at blocking some of these applications at your firewall by putting specific excludes on what ports are allowed to come into or leave your network. Like the NBAR solution, this may take some serious CLI work to put in place and manage, but it may be worth it. 

What will be challenging with any of these solutions is the ability that more and more of the P2P apps seem to be adopting in terms of port roaming so the ports you block today may not be the same ports that you find in use tomorrow.  My suggestion in that respect is to go to the  Web sites that support these apps and find out what they have to tell you.  You should also look at the security type listservs to see what others are doing to block some of the P2P apps you are encountering.