For any corporate network, the growing familiarity with P2P (peer-to-peer) apps is cause for alarm as such apps not only hog bandwidth but also pose security hazards. Sharing hefty files such as movies and music results in not only wastage of paid bandwidth but also productivity loss as there’s less bandwidth for others. On the security front, there is no guarantee that the files shared across P2P apps are authentic–a file claiming to be a music file (by its name and extension) may install a Trojan when clicked on to play. Add to this the fact that some users deliberately share virus-infected files. So, allowing P2P apps to run on your network may actually work against your security policy.
Though there are quite a number of P2P apps, there is an observed pattern in their popularity. A particular app may suddenly become popular and equally abruptly shut down while another app takes its place. Kazaa, one such P2P app, is ruling the roost these days. Other popular P2P app are Morpheus, iMesh and
Limewire.
Bid farewell to the nightmares of Kazaa posing a security threat |
The earlier versions of Kazaa could be easily blocked by blocking a specific port on the firewall (refer to Block Kazaa, Morpheus, LimeWire, page 40, September 2002, PCQuest). However, the latest versions of Kazaa (versions 2 and above) do not use a specific port to connect or download. They hop ports to connect. Worse, they can even use port 80 (the port used for Web browsing). Hence, blocking a port is no longer a way of blocking the latest versions of Kazaa. Something more needs to be done. On this month’s PCQEssential CD, we have carried software called ftwall, which when coupled with iptables firewall on Linux can block Kazaa effectively.
Last month, in the article IPCop Firewall Appliance (page 90), we explained how to set up IPCop, a Linux-based firewall distribution that uses iptables. We will use the same IPCop setup to restrict users in the internal network (172.16.0.0) from using
Kazaa.
Enable SSH on IPCop
To enable IPCop to block Kazaa, we need to copy ftwall software on to the firewall machine and edit some configuration files. We will copy the software remotely through SSH (Secure
SHell).
Launch IPCop’s browser-based interface (as explained in last month’s article). Click on System>ssh. Mark the checkbox labeled SSH and click on Save. With this, SSH connections are enabled at port 222 (as opposed to at the standard SSH port, which is 22).
Copy files onto Firewall
We will use one of the machines (call it workstation) on the internal network to copy the files from this month’s CD to the firewall. If the machine runs Windows, you can use WinSCP (http://winscp.sourceforge.net) to copy the files and in case of a Linux machine you can use scp. To login, use “root” and the corresponding password that you had specified during IPCop’s installation.
Insert the PCQuest Essential CD on the workstation and copy the file named IPCop-hack-2.4.21-1.tgz found in the directory system\cdrom\network_security\firewall\ftwall to / directory on the firewall machine.
Next copy the file named rc.local on the CD to /etc/rc.d directory, overwriting the existing rc.local file. And copy the file named ftwall-1.07-IPCop130.gz to /root directory.
Set up the software
Next, we need to extract the archives copied onto the firewall. For this we need to log in to the firewall using SSH. You can use ssh if you are on a Linux workstation or Putty (www.chiark.greenend.org.uk/~sgtatham/putty/download.html) in case of a Windows workstation. Supply root and the corresponding password for login. Change to the directory / and issue the following command.
tar —zxvf IPCop-hack-2.4.21-1.tgz
Next, change to the directory /root and issue the following command.
gunzip —d ftwall-1.07-IPCop130.gz
This will produce a file name ftwall-1.07 in /root directory. Copy this file to /sbin directory as ftwall using the following command.
cp /root/ftwall-1.07 /sbin/ftwall
Next issue the following commands.
mkdir -p /opt/ipcop/ethernet
touch /opt/ipcop/ethernet/settings
Configure
While still logged in, open the file named lilo.conf found in /etc directory using vi text editor. Change the line
default = IPCop
to
default = IPCop-P2PWall
Next, append the following lines to the file.
image = /boot/vmlinuz-2.4.21-P2PWall
root = /dev/harddisk4
label = IPCop-P2PWall
Next, on the console issue the following command.
ifconfigN
ote down the interface name of the network card that is connected to the internal network–the one having the IP address 172.16.0.1. In our case it was eth0.
Append the following line to the file named profile found in /etc directory:
export GREEN_DEV=eth0
Substitute eth0 with the name of the internal network interface, in your case.
Restart firewall
Launch the browser interface of IPCop and click on System>shutdown>Reboot. Once IPCop is up, it is all equipped to block Kazaa app running on any machine in your internal network.
Whenever a user on your internal network launches Kazaa and tries to connect (by clicking on the Connect button), IPCop will totally disconnect his machine. This means, the user is denied total access to the Internet (or the external network) till Kazaa is closed completely. After closing Kazaa, the user’s access to the external network is resumed after 2 minutes.
With the firewall active, we failed to connect using the latest versions (as of this writing) of Kazaa Media Desktop (ver 2.5.2) and Kazaa Lite
(ver 2.4.3).
Ftwall can also block other P2P applications like iMesh and Grokster, which use the FastTrack P2P network.
For comprehensive information on ftwall and setting it up on other Linux distributions refer to
www.lowth.com/p2pwall.
Thanks to Chris Lowth (the developer of ftwall) for mailing us the URL to the ftwall software.
Shekhar Govindarajan