Saturday, August 15, 2015

Endian Firewall - How to limit access to "Peer to Peer networks"

Below method was built and tested for EFW Community 3.0. For the latest version refer to the Endian Firewall page.

Being a contributor to the Endian Firewall Community, EFW has always been more applicable for my projects compared to other distro's such as IPcop, or Pfsense etc. 

Though it has been rather easy to block sites and services like Flash videos (e.g. youtube), it's been a huge pain for us security admins to block the p2p traffic. In the early days it was quite easy to block such software being installed on client machines, but with the idea od BYOD and cosmopolitan domains there's no more a persistive uniform that can be enforced via Windows Server domain/client policies. 

So the matter is taken into the hands of network and IT security crowd, one more time. P2P or Peer to peer networking is a painful topic as you are already aware, though by default it uses UDP 6881, it has been made very easy to change it randomly or statically on a client software including port 80/8080. So, what is the solution ? To make a list of ports being used on your network and making a whitelist while dropping any other ? Perhaps that's possible on small networks, but what would be the case in larger networks such as 3000+ users ? Blocking every frikkin UDP port one by one / or even by ranges? I guess it would have longer time that trying to stop users one by one !

Good news is that some solutions are already built in into your Endian Firewall system (including the community version starting from 3.0). By default the functionality has been disabled, which you will need to enable it manually so that connections requests will be dropped by default DansGuardian and Squid can only handle the accessing of P2p sites and stop users from downloading .torrent files but it is still problematic with magnetlinks ; I will mention all below). But the bad news is there's no easy way of doing this. The last good news is, it Eureka! it works !

The fight against Peer-to-peer networking (eg. commonly known as torrenting) isn't an easy one as it has no specific IP address nor port. The information is updated constantly both on the friend and foe sides. So, the IT Security admins  constantly have to review and update their security measures accordingly.

In my lectures to companies and other audiences such alike, I persistently quote that bulletproof information security can be only achieved by a good and applicable information security policy that must be enforced upon the users in conjuction with the HR department and of course managers.

Network blocking is a merely a measure that will work until someone finds an alternative way of bypassing the walls and it's usually a matter of "time".

Let's get back to our topic:
  1. Firstly, referring to my previous blog HERE add the .torrent file extension to the blacklist of the Dansguardian. If you have not setup the Dansguardian content filtering please follow the steps on the page. Magnetlinks are managed differently, continue reading below
  2. While you are at it, it is a good idea to disable TOR network access as it's accounted for it's mischievous purposes.

    Here is how: Relating to blocking Tor using Squid, simply by disallowing access to numerical IP addresses.

    acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    http_access deny CONNECT numeric_IPs all

    Also remember to add the tor server IP addresses to the banned networks in your EFW interface, the update list can be found from HERE.

    And now users will not able connect to tor network (can't create sockets). Still, I as I stated before you have to keep an eye on the updated lists as they change randomly.

    To disable .torrent sites and other filesharing sites:
  3. Goto your EFW web interface to the Proxy > Webfilter, then select the desired profile and click on the "Filter pages known to have content of the following categories (URL Filter)" link to reveal the list of known sites categories to allow/disallow.
  4. Then in the shown list select category Hacking & Wares by clicking on the green sign next to it (it will turn red).
  5. Also it's a good idea to select Webproxies & Tunnels category as well. (If you have users using authorized vpn connections to outside, you will have to add their IP's to the safelist/whitelist) -dont forget to press Change / APPLY button to commit changes.

  6. It's also a good idea to add the TOR gateway list to the blacklist column under "Custom black- and whitelists" and press Change button.

    Impotant Note: As the EFW pages are not so interactive, when you press change it will only save one column at a time. So if you dont want your changes to be lost, do step5 and press Change, so on...
  7. Go to Services>Intrusion Prevention. Here enable the Intrusion Prevention System and Update the rules.
  8. Next go to Rules and on the rule set auto/emerging-p2p.rules click on the alert icon (yellow triangle). After that the alert symbol will change to a red shield symbol. Press APPLY to save your action. This means that the system will now drop P2P traffic.
  9. Lastly, go to Firewall and enable the Outgoing and Incoming Firewall Traffic Services. (and press APPLY)

Now you are able to drop p2p packet data through the firewall.