Since it is a business, have you contemplated stopping the install of P2P clients all together?
Surely most users shouldn't have rights to simply install what they want on their computers, that leaves your network wide open for all sorts of nasty stuff to happen.
So rather than trying (possibly in vain) to block P2P traffic, how about enabling a group policy across your network that blocks the install/running of P2P clients.
Just log it and warn etc anyone doing it if its a business. Misuse of a computer is very serious in a business environment so should be plain sailing thru the dismissal process.
jaymz: Since it is a business, have you contemplated stopping the install of P2P clients all together?
Surely most users shouldn't have rights to simply install what they want on their computers, that leaves your network wide open for all sorts of nasty stuff to happen.
So rather than trying (possibly in vain) to block P2P traffic, how about enabling a group policy across your network that blocks the install/running of P2P clients.
vulcannz: Drayteks won't block p2p fully, they'll block some ports and maybe 'behaviour' but it's not going to achieve a lot.
Correct, the home/SOHO Drayteks have basic "p2p blocking" but it's not comprehensive (they aren't grunty enough to be doing full DPI). Draytek do have UTMs though which probably do DPI (haven't looked into it, we mostly push Cyberoam for UTM).
Also, that post is pushing Vigor2700e, which was a very low end model which has been discontinued for a very long time. Their link to other models also goes to a page of entirely discontinued models. For the record, current models that are available in NZ can be found here
Last time I looked at cyberoam they were still based on x86 architecture, Have they moved on since then? They came across as yet-another-linux based firewall on x86 to me. I don't have a lot of faith in x86 based DPI products, you need to be running specialized hardware like the octeon's otherwise performance is going go be poor or there will be 'shortcuts' taken (for example not scanning off-port traffic).
and how will you block Java and Flash based torrent clients?
To be honest i didn't know they existed. Do they run entirely within a web browser? Or is there some form of install that happens.
In that case, a two stage approach is needed. Active blocking of installed programs and a proper proxy server that allows you to enforce quota's and monitor web access.
If people are pushing that hard to get bittorrents while they are supposed to be at work, then there needs to be some changes in their web-access policy.
Last time I looked at cyberoam they were still based on x86 architecture, Have they moved on since then? They came across as yet-another-linux based firewall on x86 to me. I don't have a lot of faith in x86 based DPI products, you need to be running specialized hardware like the octeon's otherwise performance is going go be poor or there will be 'shortcuts' taken (for example not scanning off-port traffic).
No, they're definitely just a Linux-on-x86 box. Although I haven't worked with them much (I deal more with the Home/SOHO products) they seem to work fine at the schools etc. they're installed at.
You get what you pay for, though. Linux-on-x86 is cheap.
and how will you block Java and Flash based torrent clients?
To be honest i didn't know they existed. Do they run entirely within a web browser? Or is there some form of install that happens.
In that case, a two stage approach is needed. Active blocking of installed programs and a proper proxy server that allows you to enforce quota's and monitor web access.
If people are pushing that hard to get bittorrents while they are supposed to be at work, then there needs to be some changes in their web-access policy.
bitlet is a good example of a java based p2p app.
Enforcing quota's won't stop p2p going out and getting you issued an infringement notice.
tbh I sometimes wonder how much value people put on their time, a decent firewall with p2p blocking is a checkbox. Whereas fluffing around with proxies (which p2p apps will happily tunnel through) is time consuming.
A small business can pick up an entry level snwl for $1k. Have it up and blocking p2p in no time. Plus they get the bonus of app management, IPS, gateway AV, and web filtering. Updates for signatures are automatic and there's no fluffing around. Then you have things like vpn capabilities (ipsec and SSL) and excellent reporting capabilities.
Last time I looked at cyberoam they were still based on x86 architecture, Have they moved on since then? They came across as yet-another-linux based firewall on x86 to me. I don't have a lot of faith in x86 based DPI products, you need to be running specialized hardware like the octeon's otherwise performance is going go be poor or there will be 'shortcuts' taken (for example not scanning off-port traffic).
No, they're definitely just a Linux-on-x86 box. Although I haven't worked with them much (I deal more with the Home/SOHO products) they seem to work fine at the schools etc. they're installed at.
You get what you pay for, though. Linux-on-x86 is cheap.
Is it 'cheap' as in low cost.... how much is a cyberoam box? I'd lay odds the smart kids at schools are cutting through them fairly quickly. I've put a couple of snwl's into schools (from primary to fairly fairly big) and it's amazing the stuff the picked up the existing solutions weren't (especially watchdog).
I totally agree with vulcannz, I have done some research and there are some great boxes out there, you do have to pay a subscription for the box services though, but not much
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly
to your computer or smartphone by using a feed reader.
Trusted
