PIX/ASA 7.x: Block Peer-to-Peer Streaming CommunicationContents

network

PIX/ASA 7.x: Block Peer-to-Peer Streaming CommunicationContents

Introduction
Prerequisites
      Requirements
      Components Used
      Related Products
      Conventions
RTSP
      P2P Blocking using ACL
      Enable and Configure RTSP Inspection
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction This document shows how to block the Peer-to-Peer (P2P) (audio streamers [Internet radio, voice chat] and video streamers) in the PIX 500 Series Security Appliance 7.x using access lists.
Note: You do not have access to the Internet if you block port 80 for P2P and instant messaging traffic.
Prerequisites Requirements There are no specific requirements for this document.
Components Used The information in this document is based on a PIX Security Appliance that runs version 7.x.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products This configuration can also be used with an Adaptive Security Appliance (ASA) that runs version 7.x.
Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions.
RTSP RTSP is the IETF standards-based protocol (RFC 2326) for control over the delivery of data with real time properties such as audio and video streams. It is useful for large-scale broadcasts and audio or video on demand streaming, and is supported by a variety of vendors of streaming audio and video multimedia that include Cisco IP/TV, RealNetworks RealAudio G2 Player, and Apple QuickTime 4 software.
RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections.
HTTP is the most commonly used application-layer protocol on the Internet. HTTP offers a flexible, extensible mechanism to support numerous networked applications. Businesses, educational institutions, and government offices that rely on the Internet must allow HTTP traffic through their firewalls to accommodate most web-based applications. Unfortunately, the pervasive nature of HTTP support has contributed to TCP port 80 being a transmission vector for malicious software such as worms and viruses, as well as offering an effective conduit for concealing other traffic generated by undesirable software such as instant messaging (IM) applications and P2P file-sharing tools.
P2P and IM traffic generally offer two modes of operation:

• Native mode—The application runs on a uniquely defined set of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports.
• HTTP cloaked mode—The application masquerades as HTTP (TCP Port 80) traffic in order to gain passage through firewalls and other network policy controls.

Some of the more advanced P2P and IM applications implement sufficient RFC 2616 dialogue to appear as a legitimate conversation between a web browser and a web server.
RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The security appliance only supports TCP, in conformity with RFC 2326. This TCP control channel is used to negotiate the data channels that are used to transmit audio/video traffic, based on the transport mode that is configured on the client.
The supported RDT transports are rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp.
The security appliance parses SETUP response messages with a status code of 200. If the response message travels inbound, the server is outside relative to the security appliance and dynamic channels need to be opened for connections that come inbound from the server. If the response message is outbound, then the security appliance does not need to open dynamic channels.
Because RFC 2326 does not require that the client and server ports be in the SETUP response message, the security appliance keeps state and remembers the client ports in the SETUP message. QuickTime places the client ports in the SETUP message and then the server responds with only the server ports.
P2P Blocking using ACL Determine the ports that receive RTSP SETUP messages behind the security appliance. The default ports are TCP ports 554 and 8554.
Use the access-list extended command in order to do this and add an ACE to match each port, as this example output shows:

hostname(config)#access-list rtsp_acl deny tcp any any eq 554hostname(config)#access-list rtsp_acl deny ucp any any eq 554 hostname(config)#access-list rtsp_acl deny tcp any any eq 8554hostname(config)#access-list rtsp_acl deny udp any any eq 8554

Apply the ACL in the outbound direction (outside to inside interface) as this example output shows:

hostname(config)#interface ethernet1hostname(config-if)#nameif inside hostname(config-if)#security-level 100hostname(config-if)#access-group 101 in interface inside

Enable and Configure RTSP Inspection Complete these steps in order to enable or configure RTSP application inspection:

• Determine the ports that receive RTSP SETUP messages behind the security appliance. The default ports are TCP ports 554 and 8554.
• Create an access list to identify the RTSP SETUP messages. Use the access-list extended command in order to do this and add an ACE to match each port, as this example shows:
  

  hostname(config)#access-list acl-name deny tcp any any eq port_number

  Note: If you allow RTSP SETUP messages on one port only or on a contiguous range of ports, you can skip creating the access list and, in step 4, use the match port command instead of the match access-list command.
• Issue the class-map command in order to create a class map or modify an existing class map to identify RTSP traffic.
  

  hostname(config)#class-map class_map_namehostname(config-cmap)#

  For this command, class_map_name is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode.
• Use the match access-list command in order to identify traffic sent to the RTSP ports you determined in step 1.
  

  hostname(config-cmap)#match access-list acl-name

• Use the policy-map command in order to create a policy map or modify an existing policy map that you want to use to apply the RTSP inspection engine to RTSP traffic.
  

  hostname(config-cmap)#policy-map policy_map_namehostname(config-pmap)#

  For this command, policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly.
• Use the class class_map_name command in order to specify the class map created in step 3, that identifies the RTSP traffic.
  

  hostname(config-pmap)#class class_map_namehostname(config-pmap-c)#

  For this command, class_map_name is the name of the class map you created in step 2. The CLI enters the policy map class configuration mode and the prompt changes accordingly.
• Use the inspect rtsp command in order to enable RTSP application inspection.
  

  hostname(config-pmap-c)#inspect rtsphostname(config-pmap-c)#

• Use the service-policy command to apply the policy map globally or to a specific interface.
  Note: This command has been brought down to a second line due to spatial reasons.
  

  hostname(config-pmap-c)#service-policy policy_map_name [global | interface interface_ID]hostname(config)#

  For this command, policy_map_name is the policy map you configured in step 5. If you want to apply the policy map to traffic on all the interfaces, use the global option. If you want to apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command.
  The security appliance begins to inspect RTSP traffic, as specified.

This example configuration from the PIX shows how to enable the RTSP inspection engine on the default ports (554 and 8554). The service policy is then applied to the outside interface.
PIX
hostname(config)#access-list rtsp_acl permit tcp any any eq 554 hostname(config)#access-list rtsp_acl permit udp any any eq 554 hostname(config)#access-list rtsp_acl permit udp any any eq 8554hostname(config)#access-list rtsp_acl permit tcp any any eq 8554hostname(config)#class-map rtsp-traffic hostname(config-cmap)#match access-list rtsp_acl hostname(config-cmap)#policy-map sample_policy hostname(config-pmap)#class rtsp_porthostname(config-pmap-c)#inspect rtsp 554hostname(config-pmap-c)#inspect rtsp 8554hostname(config-pmap-c)#service-policy sample_policy interface outside