SRX

Hey all,

What is the best way of preventing torrents and other p2p traffic on the Juniper SRX series. As of right now I only know two methods

1. Block P2P and torrent ports coming from trust to untrust. But this allows users to change their torrent ports and use a random higher port for torrent transfer

2. Same as step one but block all ports and exlcude ports that are used for production. Of course this would be a pain to gather and manager but it should work.

Is there any other method by using web filtering etc. If there is please let me know.

Thanks

G

Did you look into IDP? That might be the best idea.  The 3K and 5K support application recognition, not sure about the branch models.

Take a look here: http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-has-feature-like-NBAR/td-p/35066

Hi Screenie,

I set an IDP policy from my trust to untrust zone to drop all P2P packets. I set IP action to block and IP target service.

I ran two torrent applications; uTorrent and BitComment

Both were still able to connect to peers and download files.

Any other suggestions?

the most strict control method is the 2nd one you list in the top. and it's also the most effective and no-performance impact way.

or change to another idea, block the famous P2P ports and port numbers higher than 10000 as the default setting, and then permit known non-P2P ports higher than 10000 when needed.

In Junos how do i restrict ports 10,000 and above? I know how to deny specific services but not a port range.

Hello,

You could do it with an output firewall filter assigned to interfaces:

set firewall family inet filter blk1 term 1 from destination-port 10001-65535
set firewall family inet filter blk1 term 1 then discard
set firewall family inet filter blk1 term 2 then accept

This will block both TCP and UDP port range 10001-65535.

HTH

Regards

Alex

Thanks Alex!

Can I apply this to a policy rule from the trust to untrust zone. Reason why is because I want to test it on a specific policy first before deploying the policy company wide

szmpradee[Conductor]
   security {
    idp {
        idp-policy block-torrent {
            rulebase-ips {
                rule 1 {
                    match {
                        from-zone trust;
                        source-address Torrents-Block;
                        to-zone untrust;
                        destination-address any;                    
                        application default;
                        attacks {
                            predefined-attacks [ P2P:BITTORRENT:HANDSHAKE P2P:BITTORRENT:TRACKER-QUERY P2P:BITTORRENT:BT-TRACKER-DOS P2P:BITTORRENT:TRACKER-SCRAPE P2P:BITTORRENT:CONTENT-TYPE P2P:BITTORRENT:DOT-TORRENT P2P:BITTORRENT:DHT HTTP:STC:BT:CLIENT-VULN P2P:BITTORRENT:BITCOMET-CHUNK ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        ip-action {
                            ip-close;
                            target service;
                            timeout 120;
                        }
                    }
                }
            }
        }
        active-policy block-torrent;
    }

raja999@hotmail.com