Is there any way to configure a time-based (schedule) policy to block P2P traffic?
I realize that the usefulness of such a feature would be extremely limited (why would someone only want protection some of the time??? ), but I would just like to see if anyone has any alternative ways of achieving the same end result.
The background is that a customer already has a Firewall which cannot effectively block P2P and is already considering a McAfee NSP solution as an IPS, which I believe happens to be very good at detecting applications that fallback on port 80. So achieving the above on the NSP would save the customer from having to deploy a 3rd box.
I think until 5.1 time based policy is not supported on NSP Solution (I did not try 6.0 yet). Besides this point take special attention when you consider to block P2P aplications with the NSP. You can DETECT most P2P aplications with NSP but you can face some problems to block them specially if they are in "obfuscated mode".
Yes ahamidi, "obfuscated mode" is an encrypted mode. Here I attached a screen capture with Edonkey client config and you can see how set this feature (remarked in red).
When you enable the obfuscated mode and try to connect to Edonkey Server you will see in the Real Time Analyzer the connection was blocked if you configure the related attack to block. Edonkey client will connect anyway to Server and NSP won't block the connection. If you disable the obfuscated mode in your Edonkey client then NSP will successfully block the connection.
I hope this helps you.
Ah I see. Thank you again for the information.
I'm guessing there must be a way to block even that traffic, perhaps using a custom signature?
Either way, I appreciate the help.
Unfortunately there is no way to do this. This actually is an interesting suggestion, and I will submit it as an FMR. I can see an argument where you may want to implement certain signatures for parts of the day. I don't know if this would get alot of use in the field, but ya never know. Regarding custom signatures/UDS, using a time window is still not possible. Thanks for the suggestion though.