As per the network policy, we have to block all torrent traffic from the network. To do this, I used to block all ports above 1024 on my firewall/proxy devices. But due to this, many other applications which use non-standard ports are not able to function, especially mobile applications, and users are complaining because of this.Is there an effective way of blocking torrents on my network?A minimum number of ports, or few specific ports, or application level filtering?We have Cisco Iron Port Security and Cisco ASA 5500 Firewall devices. You have a number of ways to restrict torrents:. Blocking ports: this doesn't work, because p2p traffic can use pretty much any port (even ones below 1024).
Deep inspection: looking at traffic and blocking based on type can help you a lot, however encrypted traffic all looks alike. Destination filtering: this may also help a bit, but you'd have to maintain a large blacklist.Volume: if a user is downloading/uploading large amounts of traffic then investigate.Controlling the applications installed on the computers on your network through Group Policy or a real world policy. Disallow all p2p applications, and if anyone breaches the policy don't let them use the network/fire them/fine them/whatever. BitTorrent can run on any port, and can be wrapped inside SSL, so blocking by ports or traffic data isn't going to get you anywhere.My suggestion would be to block HTTP traffic on any port which matches the tracker announce protocol, as per. This won't work if the tracker is running on HTTPS, but most don't. It also won't prevent DHT from working, but that's unlikely to matter too much.Additionally, you can monitor traffic to see if large amounts of data are being transferred to a single user, and take action based upon that.My opinion is that this isn't a technical issue - it's a policy issue.
Port-forwarding is one of the most requested and used modifications to a customers default gateway. With this tutorial, we would like to help you set up your network devices for remote access in. Deactivate unused ports on USG / Zywall series. Problem: We don't use SSO (port 2158) or DNS (port 53). The web GUI does not have a checkbox to Enable/Disable the service. Another example, we don't use FTP (port 21). The web GUI has a checkbox to Enable/Disable FTP, but it does not turn off port 21.
Make all your users sign a usage policy that explicitly bans the use of file-sharing networks and systems, including BitTorrent, and ensure that appropriate punishments can be enforced should people violate that policy. From my perspective, only deep packet inspection including SSL/TLS traffic will work.Common practice is to have a proxy server in internal network (with the SSL inspection) to allow users to access the internet (and block all unwanted sites / services) then block all traffic outgoing from such users directly to the internet. If you need to allow users to access specific servers on non-standard ports you have to allow them explicitly (IP, protocol, port / service).What kind of non-standard services are users accessing from your network?
WAN- GeneralThisscreen allows you to configure low balancing, route priority and traffic redirect properties.MultipleWANYoucan use a second connection for load sharing to increase overall networkthroughput or as a backup to enhance network reliability.TheZyWALL has two WAN ports. You can connect one port to one ISP (ornetwork) and connect the other to a second ISP (or network).TheZyWALL can balance the load between the two WAN ports (see the LoadBalancing Introduction section).Youcan use policy routing to specify the WAN port that specific servicesgo through. An ISP may give traffic from certain (more expensive)connections priority over the traffic from other accounts. You couldroute delay intolerant traffic (like voice over IP calls) throughthis kind of connection. Other traffic could be routed through a cheaperbroadband Internet connection that does not provide priority service.If one WAN port's connection goes down, the ZyWALL can automaticallysend its traffic through the other WAN port. See the Policy Routechapter in the User's Guide for details.TheZyWALL's NAT feature allows you to configure sets of rules for oneWAN port and separate sets of rules for the other WAN port. Referto the NAT chapter for details.Youcan select through which WAN port you want to send out traffic fromUPnP-enabled applications (see the UPnP chapter in the User's Guide).TheZyWALL's DDNS lets you select which WAN interface you want to usefor each individual domain name.
The DDNS high availability featurelets you have the ZyWALL use the other WAN interface for a domainname if the configured WAN interface's connection goes down. See thethe Dynamic DNS section in the User's Guide for details.Whenconfiguring a VPN rule, you have the option of selecting one of theZyWALL's domain names in the My Address field.LoadBalancing IntroductionOn the ZyWALL, load balancing is the process of dividing traffic loadsbetween the two WAN interfaces (or ports). This allows you to improvequality of services and maximize bandwidth utilization. See also policyrouting to provide quality of service by dedicating a route for aspecific traffic type and bandwidth management to specify a set amountof bandwidth for a specific traffic type on an interface.LoadBalancing AlgorithmsTheZyWALL uses three load balancing methods (Least Load First, WeightedRound Robin and Spillover) to decide which WAN port the traffic fora session (from the LAN) should use. In the load balancing section,a session may refer to normal connection-oriented, UDP and SNMP2 traffic.Thefollowing sections describe each load balancing method.
The availablebandwidth you configure on the ZyWALL refers to the actual bandwidthprovided by the ISP and the measured bandwidth refers to as the bandwidthan interface is currently using.LeastLoad FirstTheleast load first algorithm uses the current (or recent) outbound and/orinbound bandwidth utilization of each WAN interface as the load balancingindex(es) when making decisions about to which WAN interface a newLAN-originated session is to be distributed. The outbound bandwidthutilization is defined as the measured outbound throughput over theavailable outbound bandwidth and the inbound bandwidth utilizationis defined as the measured inbound throughput over the available inboundbandwidth.WeightedRound RobinSimilarto the Round Robin (RR) algorithm, the Weighted Round Robin (WRR)algorithm sets the ZyWALL to send traffic through each WAN interfacein turn. In addition, the WAN interfaces are assigned weights. Aninterface with a larger weight gets more of the traffic than an interfacewith a smaller weight.Thisalgorithm is best suited for situations when the bandwidths set forthe two WAN interfaces are different.Forexample, in the figure below, the configured available bandwidth ofWAN1 is 1M and WAN2 is 512K. You can set the ZyWALL to distributethe network traffic between the two interfaces by setting the weightof WAN1 and WAN2 to 2 and 1 respectively.
The ZyWALL assigns the trafficof two sessions to WAN1 for every session's traffic assigned to WAN2.SpilloverWiththe spillover load balancing algorithm, the ZyWALL sends network trafficto the primary interface until the maximum allowable load is reached,then the ZyWALL sends the excess network traffic of new sessions tothe secondary WAN interface. Configure the Route Priority metricsin the WAN General screen to determine the primary and secondary WANs.Incases where the primary WAN interface uses an unlimited access Internetconnection and the secondary WAN uses a per-use timed access plan,the ZyWALL will only use the secondary WAN interface when the trafficload reaches the upper threshold on the primary WAN interface. Thisallows you to fully utilize the bandwidth of the primary WAN interfacewhile avoiding overloading it and reducing Internet connection feesat the same time.TCP/IPPriority (Metric)Themetric represents the 'cost of transmission'. A router determinesthe best route for transmission by choosing a path with the lowest'cost'. RIP routing uses hop count as the measurement of cost, witha minimum of '1' for directly connected networks. The number mustbe between '1' and '15'; a number greater than '15' means the linkis down. The smaller the number, the lower the 'cost'.1.The metric sets the priority for the ZyWALL's routes to the Internet.Each route must have a unique metric.2.The priorities of the WAN port routes must always be higher than thedial-backup and traffic redirect route priorities.Forexample, lets say that you have the WAN operation mode set to active/passiveand the WAN 1 route has a metric of '2', the WAN 2 route has a metricof '3', the traffic-redirect route has a metric of '14' and the dial-backuproute has a metric of '15'.
In this case, the WAN 1 route acts asthe primary default route. If the WAN 1 route fails to connect tothe Internet, the ZyWALL tries the WAN 2 route next. If the WAN 2route fails, the ZyWALL tries the traffic-redirect route. In the samemanner, the ZyWALL uses the dial-backup route if the traffic-redirectroute also fails.Thedial-backup or traffic redirect routes cannot take priority over theWAN 1 and WAN 2 routes.
Thisscreen varies depending on what you select in the Load BalancingAlgorithm field.Least Load First LabelDescriptionOperation ModeActive/Passive (FailOver) ModeSelect the Active/Passive(fail over) operation mode to have the ZyWALL use the second highest priorityWAN port as a back up. This means that the ZyWALL will normally use thehighest priority (primary) WAN port (depending on the priorities you configurein the Route Priority fields). The ZyWALL will switch to the secondary(second highest priority) WAN port when the primary WAN port's connectionfails.
FallBack to Primary WAN When PossibleThis field determinesthe action the ZyWALL takes after the primary WAN port fails and the ZyWALLstarts using the secondary WAN port.Select this checkbox to have the ZyWALL change back to using the primary WAN port whenthe ZyWALL can connect through the primary WAN port again.Clear this check boxto have the ZyWALL continue using the secondary WAN port, even after theZyWALL can connect through the primary WAN port again. The ZyWALL continuesto use the secondary WAN port until it's connection fails (at which timeit will change back to using the primary WAN port if its connection isup.Active/Active ModeSelect Active/ActiveMode to have the ZyWALL use both of the WAN ports at the same timeand allow you to enable load balancing. AvailableOutbound BandwidthThis field is applicablewhen you select Outbound + Inbound or Outbound Only in theLoad Balancing Index(es) field.Specify the outbound(or upstream) bandwidth (in kilo bites per second) for the interfaceRoute PriorityWAN1WAN2Traffic RedirectDial BackupThe default WAN connectionis '1' as your broadband connection via the WAN port should always beyour preferred method of accessing the WAN.
The ZyWALL switches from WANport 1 to WAN port 2 if WAN port 1's connection fails and then back toWAN port 1 when WAN port 1's connection comes back up. The default priorityof the routes is WAN 1, WAN 2, Traffic Redirect andthen Dial Backup.You have three choicesfor an auxiliary connection ( WAN 2, Traffic Redirect andDial Backup) in the event that your regular WAN connection goesdown. If Dial Backup is preferred to Traffic Redirect, thentype '14' in the Dial Backup Priority (metric) field (and leavethe Traffic Redirect Priority (metric) at the default of '15').The Dial Backupfield is available only when you enable the corresponding dial backupfeature in the Dial Backup screen.ConnectivityCheckCheck PeriodThe ZyWALL tests aWAN connection by periodically sending a ping to either the default gatewayor the address in the Ping this Address field.Type a number of seconds(5 to 300) to set the time interval between checks. Allow more time ifyour destination IP address handles lots of traffic.Check TimeoutType the number ofseconds (1 to 10) for your ZyWALL to wait for a response to the ping beforeconsidering the check to have failed. This setting must be less than theCheck Period.
Use a higher value in this field if your networkis busy or congested.Check Fail ToleranceType how many WANconnection checks can fail (1-10) before the connection is considered'down' (not connected). The ZyWALL still checks a 'down' connection todetect if it reconnects.Check WAN1/2 ConnectivitySelect the check boxto have the ZyWALL periodically test the respective WAN port's connection.Select Ping DefaultGateway to have the ZyWALL ping the WAN port's default gateway IPaddress.Select Ping thisAddress and enter a domain name or IP address of a reliable nearbycomputer (for example, your ISP's DNS server address) to have the ZyWALLping that address.
For a domain name, use up to 63 alphanumeric characters(hyphens, periods and the underscore are also allowed) without spaces.Check Traffic RedirectionConnectivitySelect the check boxto have the ZyWALL periodically test the traffic redirect connection.Select Ping DefaultGateway to have the ZyWALL ping the backup gateway's IP address.Select Ping thisAddress and enter a domain name or IP address of a reliable nearbycomputer (for example, your ISP's DNS server address) to have the ZyWALLping that address. For a domain name, use up to 63 alphanumeric characters(hyphens, periods and the underscore are also allowed) without spaces.WindowsNetworking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/OutputSystem) are TCP or UDP packets that enable a computer to connect to andcommunicate with a LAN. For some dial-up services such as PPPoE or PPTP,NetBIOS packets cause unwanted calls.Allowbetween WAN and LANSelect this checkbox to forward NetBIOS packets from the LAN to the WAN and from the WANto the LAN. FallBack to Primary WAN When PossibleThis field determinesthe action the ZyWALL takes after the primary WAN port fails and the ZyWALLstarts using the secondary WAN port.Select this checkbox to have the ZyWALL change back to using the primary WAN port whenthe ZyWALL can connect through the primary WAN port again.Clear this check boxto have the ZyWALL continue using the secondary WAN port, even after theZyWALL can connect through the primary WAN port again. The ZyWALL continuesto use the secondary WAN port until it's connection fails (at which timeit will change back to using the primary WAN port if its connection isup.Active/Active ModeSelect Active/ActiveMode to have the ZyWALL use both of the WAN ports at the same timeand allow you to enable load balancing. RatioSpecify the weightedration for the interface. Enter 0 to set the ZyWALL not to send trafficload to the interface.Route PriorityWAN1WAN2Traffic RedirectDial BackupThe default WAN connectionis '1' as your broadband connection via the WAN port should always beyour preferred method of accessing the WAN.
The ZyWALL switches from WANport 1 to WAN port 2 if WAN port 1's connection fails and then back toWAN port 1 when WAN port 1's connection comes back up. The default priorityof the routes is WAN 1, WAN 2, Traffic Redirect andthen Dial Backup.You have three choicesfor an auxiliary connection ( WAN 2, Traffic Redirect andDial Backup) in the event that your regular WAN connection goesdown. If Dial Backup is preferred to Traffic Redirect, thentype '14' in the Dial Backup Priority (metric) field (and leavethe Traffic Redirect Priority (metric) at the default of '15').The Dial Backupfield is available only when you enable the corresponding dial backupfeature in the Dial Backup screen.ConnectivityCheckCheck PeriodThe ZyWALL tests aWAN connection by periodically sending a ping to either the default gatewayor the address in the Ping this Address field.Type a number of seconds(5 to 300) to set the time interval between checks. Allow more time ifyour destination IP address handles lots of traffic.Check TimeoutType the number ofseconds (1 to 10) for your ZyWALL to wait for a response to the ping beforeconsidering the check to have failed. This setting must be less than theCheck Period. Use a higher value in this field if your networkis busy or congested.Check Fail ToleranceType how many WANconnection checks can fail (1-10) before the connection is considered'down' (not connected).
The ZyWALL still checks a 'down' connection todetect if it reconnects.Check WAN1/2 ConnectivitySelect the check boxto have the ZyWALL periodically test the respective WAN port's connection.Select Ping DefaultGateway to have the ZyWALL ping the WAN port's default gateway IPaddress.Select Ping thisAddress and enter a domain name or IP address of a reliable nearbycomputer (for example, your ISP's DNS server address) to have the ZyWALLping that address. For a domain name, use up to 63 alphanumeric characters(hyphens, periods and the underscore are also allowed) without spaces.Check Traffic RedirectionConnectivitySelect the check boxto have the ZyWALL periodically test the traffic redirect connection.Select Ping DefaultGateway to have the ZyWALL ping the backup gateway's IP address.Select Ping thisAddress and enter a domain name or IP address of a reliable nearbycomputer (for example, your ISP's DNS server address) to have the ZyWALLping that address. For a domain name, use up to 63 alphanumeric characters(hyphens, periods and the underscore are also allowed) without spaces.WindowsNetworking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/OutputSystem) are TCP or UDP broadcast packets that enable a computer to connectto and communicate with a LAN. For some dial-up services such as PPPoE orPPTP, NetBIOS packets cause unwanted calls.Allowbetween WAN and LANSelect this checkbox to forward NetBIOS packets from the LAN to the WAN and from the WANto the LAN. SpilloverBy default,WAN1 is the primary WAN and WAN2 is the secondary WAN. LabelDescriptionOperation ModeActive/Passive (FailOver) ModeSelect the Active/Passive(fail over) operation mode to have the ZyWALL use the second highest priorityWAN port as a back up.
This means that the ZyWALL will normally use thehighest priority (primary) WAN port (depending on the priorities you configurein the Route Priority fields). The ZyWALL will switch to the secondary(second highest priority) WAN port when the primary WAN port's connectionfails. FallBack to Primary WAN When PossibleThis field determinesthe action the ZyWALL takes after the primary WAN port fails and the ZyWALLstarts using the secondary WAN port.Select this checkbox to have the ZyWALL change back to using the primary WAN port whenthe ZyWALL can connect through the primary WAN port again.Clear this check boxto have the ZyWALL continue using the secondary WAN port, even after theZyWALL can connect through the primary WAN port again. The ZyWALL continuesto use the secondary WAN port until it's connection fails (at which timeit will change back to using the primary WAN port if its connection isup.Active/Active ModeSelect Active/ActiveMode to have the ZyWALL use both of the WAN ports at the same timeand allow you to enable load balancing.
Sendtraffic to secondary WAN when primary WAN bandwidth exceedsSpecify the maximumallowable bandwidth on the primary WAN. Once this maximum bandwidth isreached, the ZyWALL sends the new session traffic that exceeds this limitto the secondary WAN. The ZyWALL continues to send traffic of existingsession to the primary WAN.Route PriorityWAN1WAN2Traffic RedirectDial BackupThe default WAN connectionis '1' as your broadband connection via the WAN port should always beyour preferred method of accessing the WAN. The ZyWALL switches from WANport 1 to WAN port 2 if WAN port 1's connection fails and then back toWAN port 1 when WAN port 1's connection comes back up. The default priorityof the routes is WAN 1, WAN 2, Traffic Redirect andthen Dial Backup.You have three choicesfor an auxiliary connection ( WAN 2, Traffic Redirect andDial Backup) in the event that your regular WAN connection goesdown. If Dial Backup is preferred to Traffic Redirect, thentype '14' in the Dial Backup Priority (metric) field (and leavethe Traffic Redirect Priority (metric) at the default of '15').The Dial Backupfield is available only when you enable the corresponding dial backupfeature in the Dial Backup screen.ConnectivityCheckCheck PeriodThe ZyWALL tests aWAN connection by periodically sending a ping to either the default gatewayor the address in the Ping this Address field.Type a number of seconds(5 to 300) to set the time interval between checks. Allow more time ifyour destination IP address handles lots of traffic.Check TimeoutType the number ofseconds (1 to 10) for your ZyWALL to wait for a response to the ping beforeconsidering the check to have failed.
This setting must be less than theCheck Period. Use a higher value in this field if your networkis busy or congested.Check Fail ToleranceType how many WANconnection checks can fail (1-10) before the connection is considered'down' (not connected). The ZyWALL still checks a 'down' connection todetect if it reconnects.Check WAN1/2 ConnectivitySelect the check boxto have the ZyWALL periodically test the respective WAN port's connection.Select Ping DefaultGateway to have the ZyWALL ping the WAN port's default gateway IPaddress.Select Ping thisAddress and enter a domain name or IP address of a reliable nearbycomputer (for example, your ISP's DNS server address) to have the ZyWALLping that address. For a domain name, use up to 63 alphanumeric characters(hyphens, periods and the underscore are also allowed) without spaces.Check Traffic RedirectionConnectivitySelect the check boxto have the ZyWALL periodically test the traffic redirect connection.Select Ping DefaultGateway to have the ZyWALL ping the backup gateway's IP address.Select Ping thisAddress and enter a domain name or IP address of a reliable nearbycomputer (for example, your ISP's DNS server address) to have the ZyWALLping that address.
For a domain name, use up to 63 alphanumeric characters(hyphens, periods and the underscore are also allowed) without spaces.WindowsNetworking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/OutputSystem) are TCP or UDP broadcast packets that enable a computer to connectto and communicate with a LAN. For some dial-up services such as PPPoE orPPTP, NetBIOS packets cause unwanted calls.Allowbetween WAN and LANSelect this checkbox to forward NetBIOS packets from the LAN to the WAN and from the WANto the LAN.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |