What do P2P Applications do and How to block Peer to Peer Applications (P2P) using Symantec Endpoint Protection?
What is Peer to Peer (P2P) Application?
P2P is nothing but just Peer to Peer networking. As we have Server - Client Model and Peer to Peer network in the same way these P2P applications work. You need a P2P program that will be installed on your computer it creates a community of P2P application users and it creates a virtual network between these users. For the user it will look as it is in a Peer to Peer network and he can share files from his local computer and download files shared by other users. It is very similar to our Instant Messaging like Yahoo, AOL or GTalk where even though to whom we are taking to are on a different network but a virtual network is created where it looks we are on a same network and we can share files and chat. The P2P application has been very much in demand from last couple of years. A P2P application is mainly used for sharing Music, Movies, Games and other files.
What are the disadvantages of Peer to Peer (P2P) Application?
Is it estimated that for any given ISP 60 to 80% of their traffic is consumed by P2P traffic. So even in your office if people are using P2P application they will consume a huge amount of bandwidth without production.P2P application is very famous for distributing Pirated software. Your users might be using pirated software on their computers and Auditors will never appreciate that. Symantec Underground Economy says that "The annual global cost to businesses of software piracy in one 2007 study puts the cost at nearly $40 billion"
You can never trust the file you are downloading from a remote user in P2P environment.90% of the files contain malwares. Thus if your users are using P2P application there is very high rate of Virus Outbreak in your network that too very frequently. In 2008 10% of malware were propagated via P2P applications. Even the very infamous W32.Downadup also propagated and updated itself via P2P applications.
P2P is a very famous mechanism for distributing Bots, Spywares, Adware, Trojans, Rootkits, Worms and other types of malwares.
Since it is very easy to change the port for these P2P applications it is very difficult to block this traffic. It is strictly not advised to have P2P application allowed in your network. Enterprises should take measures to prevent P2P clients from being installed on any computers on the network. End users who download files from P2P networks should scan all such files with a regularly updated antivirus product.
How to block Peer to Peer Applications (P2P) using Symantec Endpoint Protection ?
There are 3 ways of blocking Peer to Peer Applications on your network using Symantec Endpoint Protection.
1. Blocking Peer to Peer Applications using Intrusion Prevention System
Open Symantec Endpoint Protection Manager
Click on Policies -> Intrusion Prevention -> Edit Intrusion Prevention Policies .go to Exceptions -> Click on Add.
Then under Show Category scroll it down and Select Peer to Peer.
On the bottom right hand side of the policy click on Select all -> click next
Log - Log the Traffic
Click OK then Click OK on the policy and assign it to all the client groups.
Then Select All ->Click Next
Click Ok then OK on the Policy and then assign it to all the groups.
2.Blocking Peer to Peer Applications using Application Control of Application and Device Control
Since these Peer to Peer (P2P) Application is software installed on your computer so you can block the Process used for running these applications. As they are complete software so if the user tries to rename the main process name the application will not work. So you can block these processes using Application control.
For more help you can refer this Document:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616264848
3. Blocking Peer to Peer Traffic using Symantec Endpoint Protection Firewall.
You can block the P2P traffic using Symantec Endpoint Firewall in this case even if the user has any P2P applications installed those applications won't be allowed to connect to the internet. Since it is very difficult to track the port number for the application as they can be easily changed by the user. So you can block the Inbound/Outbound traffic from the P2P processes.
In the Symantec Endpoint Protection Manager go to Policies -Firewall -Edit Firewall Policy - Rules- Add Rule -Click Next
In the Rule type select Application and click next
Select Define an Application and Click Next
In the File Name type the name of the process and click Next
Click Add More and add the name of other P2P application processes.
Rename the rule to something like "Blocking P2P" so that you can identify.
Under Action change Allow to Block.
Under Logging Change it to "Write to Traffic Log".
Note : Most of the P2P application use Torrent file to download files from other P2P application so make sure when Creating a Firewall rule or Application Control rule block *.torrent file.
List of Known Peer to Peer Applications and its main Process
I have attached the Firewall and Application & Device Control policy to block P2P Applications.