From: Nick Holland [mailto:[EMAIL PROTECTED] > Theoretically, this is a weak solution. However, PRACTICALLY > speaking, > it's simple and very effective. Other than blocked services > opening up > alternative entry points, I've not actually seen anyone bypass this > system in real life (for example, AOL offered a web-based IM > alternative, that required an additional block). It isn't a secure > solution, but it seems mighty effective.
Simply for the sake of pointing it out, there is also the IDS method. This comes with the same disclaimer of it being an imperfect solution (false positives being one possible downfall) but carries the advantage that you don't need to focus on IP addresses or ports which can change - you focus on the protocol itself. While we haven't had great results with tracking P2P use with stock Snort signatures, we've found the Bleeding Snort collection to have a lot of capabilities for detection of P2P and spyware traffic. Throw this inline with the snort to pf utilities that were discussed recently in the archives and it makes a respectable way of blocking traffic. We haven't found the false positives level of this to be overly prohibitive either, actually. DS
