Cisco Firepower FTD BitTorrent problem
Are torrents bad? Wow, yes! One of first few rules in the ACP created for all my customers have to do with torrents. Torrents are a horrible thing on any network, even if only one host has it!
I’ve been telling my clients and students for a long time about BitTorrent issues with Cisco Firepower/FTD. Cisco finally admits that they can’t read the BitTorrent handshake correctly with the File policy. In this very short blog, I’ll show you the best workarounds for this.
You can use a block rule for peer-to-peer categories in your ACP, which works well for all type of torrents, and the Torrent category in your File Policy, however, the File policy is hit and miss (more miss) on torrent streams because of the handshake issue, which is why I use the peer-to-peer Application or URL categories, as well the File policy:
Here is the File Policy torrent rule I use at ALL my clients:
here is the first two lines of almost ALL my ACP’s I configure:
You can use either the Application or the URL in the rule, but don’t use both.
-You need to have a clear security policy that forbids torrents of any type!
…and here is an announcement (finally) from Cisco on this:
Cisco Firepower System Software BitTorrent File Policy Bypass Vulnerability
Advisory ID: cisco-sa-20180207-fss
First Published: 2018 February 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCve26946
- A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass file policies that are configured to block files transmitted to an affected device via the BitTorrent protocol.The vulnerability exists because the affected software does not detect BitTorrent handshake messages correctly. An attacker could exploit this vulnerability by sending a crafted BitTorrent connection request to an affected device. A successful exploit could allow the attacker to bypass file policies that are configured to block files transmitted to the affected device via the BitTorrent protocol.There are no workarounds that address this vulnerability.