Manage Learn to apply best practices and optimize your operations.

Step 3: Application-level filters

A better alternative to using a basic firewall is to use a firewall that contains application-level filters. Most modern firewalls include packet filters that can tell what type of traffic is flowing across a port. For example, such a firewall would be able to identify SMTP traffic, even if it were flowing across Port 80, which is normally used for HTTP traffic. Because such firewalls are able to identify actual packet types based on their header (not just on their port number), it is possible to block some peer-to-peer applications just by filtering out certain protocols.

Packet filtering by itself is not enough though. If you are serious about blocking peer-to-peer-related network traffic, you need a firewall that does application filtering. Application filtering is kind of like an extension to stateful packet inspection. Stateful packet inspection can determine what type of protocol is being sent over each port, but application-level filters look at what a protocol is being used for. For example, an application-level filter might be able to tell the difference between HTTP traffic used to access a Web page and HTTP traffic used for file sharing, whereas a firewall that is only performing packet filtering would treat all HTTP traffic the same.

If you are thinking of buying a firewall that does application filtering, then be sure to look for one that is specifically designed to block peer-to-peer applications. The firewall manufacturer should also offer periodic updates that allow the firewall to block new file-sharing applications and new versions of existing peer-to-peer applications.

Blocking peer-to-peer applications

 Home: Introduction
 Step 1: Blocking peer-to-peer applications
 Step 2: Firewalls
 Step 3: Application-level filters
 Step 4: Software restriction with Group Policy

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at
Copyright 2005 TechTarget

Dig Deeper on Network intrusion detection and prevention and malware removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.