It's also difficult to log P2P activity at the firewall level, since connecting ports frequently change and can't be easily identified. Without distinct ports to block or log, P2P traffic can slip through a firewall undetected.
Despite that, P2P doesn't move totally in the dark, and depending on the application, it leaves some footprints that can be tracked by commercially available tools.
One tool is ProxySG from Blue Coat Systems, a leader in enterprise Web content filtering and blocking tools. Instead of blocking ever-changing ports and IP addresses, ProxySG looks for the type of malformed HTTP packets used for communicating to P2P networks. It also checks the headers of outbound packets for known P2P agents like KaZaa. ProxySG can also be used to log allowed agents on the network, so that inappropriate agents, such as P2P, can be logged and tracked.
Another product is Real-Time (RT) Guardian from FaceTime Communications. RT Guardian uses FaceTime's IMAuditor technology and sits in the DMZ to monitor P2P and IM traffic. Since P2P software is often bundled with spyware, FaceTime uses malware-screening technology to dig up P2P instances by detecting spyware that is commonly known to piggyback along with it.
Proventia, a product from IBM Internet Security Systems, logs and blocks P2P by building a profile of common ports used by file-sharing software such as KaZaa and Gnutella.
Despite being difficult to track because of its dynamic and decentralized nature, P2P usage can be logged with commercially available tools through detection of unique HTTP packets, headers and other P2P traffic quirks.
For more information:
This was first published in June 2007