juniper netscreenADSL Router

Posted on 2009-04-27
Medium Priority
Last Modified: 2012-08-13
how to block downloading torrent file on  Netscreen NS5GT ADSL Router+firewall.

most of  my client are download torrent file on my network. is there anyway to block with the file extention
Question by:samithsukumar
LVL 18

Expert Comment

by:Sanga Collins
ID: 24241691
You can not block files by extension using a netscreen firewall. If you want to do that you need a third party application like surfcontrol or websense.

The proper way to do this with a firewall is too block the ports that bit torrents use. I believe it is ports 6881 to 6999 tcp.

Expert Comment

ID: 24243080
Enable logging on the policy that is allowing these torrent downloads and then view the log to see the ports being used.  Then add a policy before the other policy that denies the traffic.

Your best bet (and most secure) would be to go about this from the other direction: instead of allowing everything and blocking a few ports, you should block everything and only permit the required outbound ports (80, 443, etc).
LVL 18

Expert Comment

by:Sanga Collins
ID: 24243137
I agree with sfrancy. Most network engineers block all traffic and only allow specific ports required for daily operations. I don't allow any incoming traffic and only allow port 80 outgoing. I don't want employees doing anything that doesn't relate to their jobs.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!


Author Comment

ID: 24243846
As i am not good  in juniper . can plze explain to me through steps how to block the torrent ports
LVL 18

Accepted Solution

Sanga Collins earned 1000 total points
ID: 24244141
if you log into the web interface of your juniper device, go to the policy section and you will see all the rules that govern what traffic is allowed through the firewall. a good practive is to setup a global rule such as the following

source:any, destination:any, service:any DENY, Logging (enabled)

this will allow you to block all traffic that passes through the device. the next step is to setup your 'allow rules'. first decide what traffic you would like to allow to the outside world. for the sake of the example lets choose SMTP for email, HTTP for web and DNS for dns. setup the following rules (please note these can be combined into one rule but for the sake of clarity ill make them three seperate rules

source:trust, destination:untrust, service HTTP, PERMIT, Logging (enabled)
source:trust, destination:untrust, service SMTP, PERMIT, Logging (enabled)
source:trust, destination:untrust, service DNS, PERMIT, Logging (enabled)

the juniper now allows people to surf the web, get dns information and check their email via smtp. if you use pop3 for email just add another rule allowing pop3 traffic from trust to untrust. it does not allow any traffic initiated from the outside world, and does not allow any traffic initiated from your network that is not one of the three defined in the rules above

if you could, log into the juniper from a telnet and type 'get policy' post the results of that command so we can see what you are working with

Author Comment

ID: 24248743
am pasting the policy as below
 ID From     To       Src-address  Dst-address  Service              Action S
tate   ASTLCB
    11 Trust    Untrust  Any          Email Excha~ HTTPS                Permit e
nabled -----X
    10 Untrust  Trust ANY                  Permit e
nabled -----X
     9 Trust    Untrust ANY                  Permit e
nabled ---X-X
     3 Trust    Untrust ANY                  Permit e
nabled ---X-X
     6 Trust    Untrust  Any          Any          AOL                  Deny   e
nabled ---X-X
     7 Trust    Untrust  Any          Blocked_Sit~ ANY                  Deny   e
nabled ---X-X
     5 Trust    Untrust  Any          Allowed_Sit~ ANY                  Permit e
nabled ---X-X
     2 Trust    Untrust  Internet_Co~ Any          ANY                  Permit e
nabled ---X-X
     4 Untrust  Trust ANY                  Permit e
nabled ---X-X
     8 Untrust  Trust    Dial-Up VPN ANY                  Tunnel d
isabl~ -----X

Expert Comment

ID: 24325601
I agree with sangamc's & sfrancy's comments for the most part. However, you are still allowing HTTP and there are a lot of things that can go on through port 80. If your users are sharp they will find a way to download those files through HTTP, and those methods do exist. They could even download through Usenet using their email application.
In a previous question that I answered for you about blocking games I mentioned OpenDNS. This would allow you to block many types of unwanted internet traffic, including access to sites known for torrents, and it is free. Many businesses are now using it because it gives them better control over there network. Their website gives you all the info you need to get it set up on your router.
 I think this would be a good additional layer on top of the solutions mentioned.

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question