Block Bittorrent, device suggestions please for NZ business

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Block Bittorrent, device suggestions please for NZ business

1 | 2 | 3

5 posts

Wannabe Geek

#518189 7-Sep-2011 16:51

It is a device solution I am after, I don't want to setup a proxy server at this point

Ragnor

8223 posts

Uber Geek

Trusted

#518226 7-Sep-2011 18:32

vulcannz:

Not true. Encrypted BT uses a predetermined handshake (do you ever remember setting up certs or keys for a torrent client :D ) so while you cannot inspect the content of an encrypted bit torrent stream the initial session setup is fairly visible.

Hmm hadn't considered that.

Yeah we are using NSA2400's here at work now I think, networking is not my main area but I had a play with them.

From memory even the TZ-2xx series have DPI if you are willing to pay the annual subscription for the security services stuff.

vulcannz

436 posts

Ultimate Geek
Inactive user

#518517 8-Sep-2011 12:51

Ragnor:
vulcannz:

Not true. Encrypted BT uses a predetermined handshake (do you ever remember setting up certs or keys for a torrent client :D ) so while you cannot inspect the content of an encrypted bit torrent stream the initial session setup is fairly visible.

Hmm hadn't considered that.

Yeah we are using NSA2400's here at work now I think, networking is not my main area but I had a play with them.

From memory even the TZ-2xx series have DPI if you are willing to pay the annual subscription for the security services stuff.

All the current Sonicwalls do DPI services (IPS, App management, Gateway AV etc) based on subscription services. A TZ 200 is <$1k with a 1 year license, and I think its $300 or $400 per year for services+support after the 1st year.

Palo Alto's are pretty damn awesome too. Both utilize the Cavium Octeon's fairly heavily to achieve good DPI performance. Whereas stuff that uses x86 or ASICs like Juniper/Checkpoint/Fortinet/Cisco tends to choke on layer 7 stuff (though I see the new SRXs have octeons, but man their interface is ugly).

MauriceWinn

141 posts

Master Geek

Trusted

#518668 8-Sep-2011 16:28

http://news.zenbu.net.nz/2011/05/another-busy-summer-and-some-peer-to.html

Here is an excerpt <<people concerned about the risk of peer-to-peer file downloading can generally block file-sharing protocols at their broadband modem. The administration page of the broadband modem will generally have a "firewall" or "filter" option which should allow you to easily filter/block peer-to-peer traffic. It is much more likely that people with unrestricted access to the internet (staff, your children, friends etc) will use file-sharing than anyone connected via the Zenbu connection (unless you provide people with free internet access). So the best place to block peer-to-peer traffic is it at your broadband modem. If your existing broadband modem doesn't have such an option it would probably be worth calling your ISP and asking them if they can provide (or at least recommend) one that does. Many broadband modems supplied by ISPs are pretty poor quality so this could be a good opportunity to get a better, more reliable, more functional (and often much faster) modem. Not only should it allow you to block peer-to-peer traffic but it should also provide a much improved internet experience for you and your customers. Here is an article with information on some broadband modemscommonly provided by ISPs in New Zealand - http://bit.ly/iE9et1. The information provided is in-keeping with our experiences of different broadband modems. Basically a good modem should never need restarting to stay online and should provide good speed and reliable connectivity to your computer(s)/devices. As well as the modems recommended at the link above I highly recommendDrayTek modems. We use the Draytek 2700e (some other DrayTek modems are here) for one of our broadband connections and in over 18 months it has not once needed restarting and has been super reliable (and yes it has the option of blocking peer-to-peer services). Of course you should confirm that any equipment you are considering buying will actually do the job you want with the manufacturer or your ISP before you purchase it. Edit: Additional information on the copyright amendment bill is available at http://3strikes.net.nz/ >>

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#518678 8-Sep-2011 16:46

I haven't read the links but most consumer firewalls are able to block incoming connections, not outgoing. Some have options to block outgoing traffic, sure, but not all...

Blocking incoming connections is fine but won't block downloads, only sharing (uploads).

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#518680 8-Sep-2011 16:47

Even incoming connections blocked will still allow uploads as the tracker directs you to connect out to the other peers.

Richard rich.ms

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#518687 8-Sep-2011 16:58

Ok, there you go... Need a router with outgoing blocking the
But if client uses port 80 then nothing changes...

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

vulcannz

436 posts

Ultimate Geek
Inactive user

#518710 8-Sep-2011 18:11

Drayteks won't block p2p fully, they'll block some ports and maybe 'behaviour' but it's not going to achieve a lot.

theEd

341 posts

Ultimate Geek

Trusted

#518713 8-Sep-2011 18:23

vulcannz: Drayteks won't block p2p fully, they'll block some ports and maybe 'behaviour' but it's not going to achieve a lot.

Correct, the home/SOHO Drayteks have basic "p2p blocking" but it's not comprehensive (they aren't grunty enough to be doing full DPI). Draytek do have UTMs though which probably do DPI (haven't looked into it, we mostly push Cyberoam for UTM).

Also, that post is pushing Vigor2700e, which was a very low end model which has been discontinued for a very long time. Their link to other models also goes to a page of entirely discontinued models. For the record, current models that are available in NZ can be found here

Tooomuch

5 posts

Wannabe Geek

#518745 8-Sep-2011 19:55

There does not seem to be a 100% solution to block bittorrent, does our government know this?

Anyway keep the info coming...

kyhwana2

2566 posts

Uber Geek

#518755 8-Sep-2011 20:18

If you have a router that only does 99% bittorrent blocking, you can still get stung. If you have someone on your network that fires up a client and connects to _a_ tracker AND/OR DHT that is scraped by the contracters that the MPAA/RIAA/etc use, then you can still get hit for notices EVEN IF YOUR USER DOESN'T ACTUALLY DOWNLOAD _ANYTHING_

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#518824 8-Sep-2011 23:38

kyhwana2: If you have a router that only does 99% bittorrent blocking, you can still get stung. If you have someone on your network that fires up a client and connects to _a_ tracker AND/OR DHT that is scraped by the contracters that the MPAA/RIAA/etc use, then you can still get hit for notices EVEN IF YOUR USER DOESN'T ACTUALLY DOWNLOAD _ANYTHING_

Do you know for sure they send notices based on mere tracker scrapes?

Richard rich.ms

Ragnor

8223 posts

Uber Geek

Trusted

#518830 9-Sep-2011 00:59

They connect to the swarm and get you to upload to them

oxnsox

1923 posts

Uber Geek

#518862 9-Sep-2011 08:43

Left field thought...
Would it be possible to get your ISP to Block torrent traffic on your connect???

theEd

341 posts

Ultimate Geek

Trusted

#518865 9-Sep-2011 08:51

oxnsox: Left field thought...
Would it be possible to get your ISP to Block torrent traffic on your connect???

Doing it at the ISP would likely be about as effective as ticking the "block p2p" checkbox on a home router, since ISPs won't be doing DPI (it'd be ridiculously expensive to DPI all of their customers' traffic, not to mention probably breaching all kinds of privacy laws).

1 | 2 | 3