Blocking peer-to-peer using Cisco IOS NBAR

Cisco IOS Routers support application traffic classification using the Network Based Application Recognition (NBAR) feature. This brings application intelligence to the Layer 3 router device, putting more value into your network infrastructure. NBAR is usually used for classifying mission critical applications in order to apply Quality of Service and bandwidth guarantees in the network.

Another useful implementation of NBAR is to identify and block peer-to-peer file sharing applications which are difficult to restrict by just Access Control Lists. These applications are intelligent enough to use different communication ports in order to bypass firewalls and ACL restrictions. With NBAR, you can identify them on the application layer which is much more effective.

The protocols/applications supported by NBAR depend on the IOS version you are running. If your current IOS version does not support a specific application or protocol, you can download extra PDLM files from Cisco, which add support for additional applications and protocols. These PDLM files can be stored on the router flash and accessed by router(config)# ip nbar pdlm flash:// pdlm-name
To see what NBAR protocols are supported in your current IOS, use the command match protocol ? and see the options that appear (this is under the class-map command).

Lets see an example configuration below:

!Assume the following p-to-p applications are not supported and we have downloaded

! the appropriate PDLMs

Router(config) # ip nbar pdlm flash://kazaa2.pdlm
Router(config) # ip nbar pdlm flash://bittorrent.pdlm
Router(config) # ip nbar pdlm flash://gnutella.pdlm
Router(config) # ip nbar pdlm flash://eDonkey.pdlm

! configure a class-map to identify traffic

Router(config) # class-map match-any peer-to-peer
Router(config-cmap) # match protocol gnutella
Router(config-cmap) # match protocol kazaa2
Router(config-cmap) # match protocol napster
Router(config-cmap) # match protocol fasttrack
Router(config-cmap) # match protocol novadigm
Router(config-cmap) # match protocol edonkey
Router(config-cmap) # match protocol bittorrent

! Apply action to the traffic using a policy map

Router(config)# policy-map drop-peer-to-peer
Router(config-pmap)# class peer-to-peer
Router(config-pmap)# drop

! Apply the policy to the interface facing the internal LAN network

Router(config)# Interface fastethernet 0/0
Router(config-if)# ip nbar protocol-discovery
Router(config-if)# service-policy input drop-peer-to-peer

Related posts:

  1. Cisco IOS Zone Based Firewall
  2. Cisco ASA QoS for VoIP Traffic
  3. IOS Packet Capture and Auto Upgrade
  4. How to configure Cisco Router with IOS Firewall Functionality – CBAC
  5. Configuring NAT on Cisco IOS Routers
  6. Configuring local username and password on a Cisco IOS Router
  7. Cisco ACE Web Application Firewall Appliance


Comments (1)    Posted in Cisco Routers    

Subscribe RSS 2.0 feed. Leave a response, or Trackback from your own site.




One Response to 'Blocking peer-to-peer using Cisco IOS NBAR'

  1. Aakil - August 31st, 2010 at 8:36 am

    I found this article very accurate and useful too for those student and security professional who are implementing application layer security services on a Layer 3 device.

    With NBAR the PDLM feature is very useful.

    Kind Regards,
    Aakil


Leave a Reply

cisco asa firewall ebook

Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus

CLICK HERE TO DOWNLOAD EBOOKS

Sponsored Links