Overview
Peer-to-Peer (P2P) networks are worldwide distributed systems where each node can be used both as a client and a server. These networks are used for the sharing of big volumes of data.
Kerio Control provides the P2P Eliminator module which detects connections to P2P networks and applies specific restrictions. Since there is a large variety of P2P networks and parameters at individual nodes (servers, number of connections, etc) might be constantly changing, it is hardly possible to detect all P2P connections.
Diagnosis
P2P networks are commonly used for illegal data distribution, which might cause lines' overload for users who are connected to the Internet. Such users may limit connections of other users in the same network and may increase costs for the line (when transmitted data is limited for the line).
Using various methods (such as known ports, established connections, etc.), the Kerio Control P2P Eliminator is able to detect whether users connect to one or multiple P2P networks.
Solution
Configuring the P2P content rule
By default, Kerio Control includes the standard Peer-to-Peer content rule, which is located at the bottom of Content Rules.
- In the administration interface, go to Content Filter.
- Select and enable Peer-to-Peer traffic.
- (Optional) Move the rule to the top.
- Click Apply.
If your Content Filter does not include the Peer-to-Peer traffic rule, you can add one:
- Click Add.
- Type the name of the new rule (i.e. Peer-to-Peer traffic).
- Double-click Detected content.
- In the Content Rule - Detected Content dialog, click Add > Applications and Web Categories.
- In the Selected items dialog, select Downloads > Peer-to-Peer.
- Double-click Action.
- In the Content Rule - Action dialog, select Deny in the Action list.
- (Optional) Select Send email notification to user for non-HTTP connections. Kerio Control informs users about denying P2P traffic.
- Click Apply.
Information about P2P detection and blocked traffic can be viewed in the Status > Active Hosts section.
Note: If you wish to notify also another person when a P2P network is detected (e.g. the firewall administrator), define the alert on the Alerts Settings tab of the Accounting and Monitoring section.
Configuring parameters for detection of P2P networks
P2P networks are detected automatically (the P2P Eliminator module keeps running). To set the P2P Eliminator module's parameters, go to Content Filter > Advanced Settings.
It is not possible to block connections to particular P2P networks. P2P Eliminator allows to permit such services where it is guaranteed that they do not use P2P networks.
Consider the following TCP/UDP port numbers as suspicious
List of ports which are exclusively used by P2P networks. These ports are usually ports for control connections — ports (port ranges) for data sharing can be set by users themselves.
Ports in the list can be defined by port numbers or by port ranges. Individual values are separated by commas while the dash is used for the definition of ranges.
Number of connections
A big volume of connections established from the client host is a typical feature of P2P networks (usually one connection for each file). The Number of connections value defines the maximum number of client's network connections that must be reached to consider the traffic as suspicious.
The optimum value depends on circumstances, such as the type of user's work, frequently used network applications, and it must be tested. If the value is too low, the system can be unreliable (users who do not use P2P networks might be suspected). If the value is too high, the reliability of the detection is decreased (less P2P networks are detected).
Safe services
Certain legitimate services may also show characteristics of traffic in P2P networks (e.g. big number of concurrent connections). To ensure that traffic is not detected incorrectly and users of these services are not persecuted by mistake, it is possible to define a list of so-called secure services. These services will be excluded from the detection of P2P traffic.
IMPORTANT
The default values of parameters of P2P detection were set with respect to long-term testing. Change of detection parameters may affect its results crucially. Therefore, it is recommended to change parameters of P2P networks detection only in legitimate cases (e.g. if a new port number is detected which is used only by a P2P network and by no legitimate application or if it is found that a legitimate service is repeatedly detected as a P2P network).