<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD> <BODY> <DIV>Is this causing bandwidth problems for your network?</DIV> <DIV> </DIV> <DIV> <HR> </DIV> <DIV>Steven Santos Director, Simply Circus, Inc. Email: Steven@SimplyCircus.com Mail: 14 Pierrepont Road Newton, MA 02462 Phone: 617-527-0667 Web: <A href="http://www.simplycircus.com/">www.SimplyCircus.com</A> </DIV> <DIV> </DIV> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid"> <DIV class=OutlookMessageHeader dir=ltr align=left>-----Original Message----- From: k12osn-bounces@redhat.com [mailto:k12osn-bounces@redhat.com]On Behalf Of Mel Wade Sent: Friday, April 20, 2007 7:33 PM To: Support list for open source software in schools. Subject: Re: [K12OSN] OT: Stopping P2P sharing </DIV>We have movies, music, etc being shared across the network. I found this product but it starts at about $22k with discount and runs up to about $100k for our application. <A href="http://tinyurl.com/2cqt6y">http://tinyurl.com/2cqt6y </A> Great product but too much money. I wish there was an open source solution for NAC. <DIV>On 4/20/07, Steven Santos <<A href="mailto:steven@simplycircus.com"> steven@simplycircus.com</A>> wrote: <BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">I have read a lot of what I would call heavy handed technical aproaches to this. What I still don't understand is exactly what kind of file sharing you are trying to prevent, and why. _____ Steven Santos Director, Simply Circus, Inc. Email: <A href="mailto:Steven@SimplyCircus.com">Steven@SimplyCircus.com</A> Mail: 14 Pierrepont Road Newton, MA 02462 Phone: 617-527-0667 Web: <A href="http://www.SimplyCircus.com">www.SimplyCircus.com</A> <<A href="http://www.SimplyCircus.com">http://www.SimplyCircus.com</A>> > -----Original Message----- > From: <A href="mailto:k12osn-bounces@redhat.com">k12osn-bounces@redhat.com</A> [mailto:<A href="mailto:k12osn-bounces@redhat.com">k12osn-bounces@redhat.com</A>]On > Behalf Of John Lucas > Sent: Friday, April 20, 2007 6:12 PM > To: <A href="mailto:k12osn@redhat.com">k12osn@redhat.com</A> > Subject: Re: [K12OSN] OT: Stopping P2P sharing > > > On Friday 20 April 2007 10:02, Mel Wade wrote: > > This is what I was thinking. I can effectively block P2P from > the outside > > by blocking ports. The real problem is getting a handle on the large > > amount of file sharing going on within the network. I would > really like to > > have something that would require monitoring software be in > place in order > > to have access to the network. I'm guessing this would have to > integrate > > into the switches themselves. > > > > There are several technical approaches that come to mind, but > they may create > more problems than the solve. In order for your users to exchange content > then they need to be allowed on the net, so you need to either > prevent them > from connecting altogether, or you need to be able to allow > access only to > authenticated users access and be able to monitor them. > > The first case can be accomplished by "locking down" each switch > port by MAC > address (for school computers) and disabling open ports (to > prevent student > computers from being able to connect). This will reduce the > usability of the > net (student computers can't use the net) and adds to the operational > difficulty of moves adds and changes. It also assumes that your > switches are > "managed" instead of "dumb". > > The second case assumes that you have an affective acceptable use > policy that > that clearly identifies what may and may not take place on the > network and > enforcing any violation. Many managed switches can be set up to > require IEEE > 802.1X authentication against a RADIUS server and can perform > accounting so > you know what user is using which port at what times. Many switches also > allow any port to be mirrored to a "monitor port" to which you > can attach a > protocol analyzer (allowing you to spot the "illegal" traffic). > This requires > active monitoring and enforcment and may not be a good use of > your time. If > you invested in expensive Layer 3 switches, it might be possible > to prevent > inter-subnet P2P traffic (in a manner similar to that suggested for the > perimeter firwall above), but you would still be faced with intra-segment > sharing. > > Wifi can be implemented using the same IEEE 802.1X authentication and > accounting as managed switches. > > Once the perimeter is controlled (at the firewall) the other > measures provide > diminishing returns due to the personnel time required for monitoring and > enforcement. I can't emphasize enough the vital importance of a clear and > enforcable Acceptable Use Policy, without that being understood by all > parties, you won't be able to enforce anything. Not all solutions are > technical. > > I don't think there is a "silver bullet" to techincally solve > this problem. If > ever there is, I predict it will be expensive. > > > Mel > > > > On 4/20/07, EJBoshinski <<A href="mailto:mistrz.linux@yahoo.com">mistrz.linux@yahoo.com</A>> wrote: > > > Depending on the physical topology of your network, without a complete > > > network admission compliance policy it may be nearly impossible to > > > implement. Firewalls typically sit at the network edge and do not > > > mediate internal traffic, thus anything on your local subnet will pass > > > unabated unless a firewall is placed at each congregation point (ie - > > > read switch - however even this is incomlete as any traffic > internal to > > > the switch will not encounter the firewall). The only > complete solution > > > is to have NAC in place that stipulates rulesets that must be > met before > > > access is granted to the network. This is where you can enforce your > > > network policies. If you don't meet our standards, you don't > get on.... > > > I did some work on this about a year ago with a MAJOR network gear > > > manufacturer's first step into this market - suffice it to > say that the > > > solution at that time was incomplete and convoluted. However in the > > > interim I believe that the technology has improved sufficiently to be > > > able to achieve your desired results. The major hurdle is to get the > > > 'powers that be' to buy into the project and the underlying > policies of > > > network access control.... > > > > > > HTH, > > > > > > -ejb > > > > > > ----- Original Message ---- > > > From: Mel Wade < <A href="mailto:mel@melwade.com">mel@melwade.com</A>> > > > To: Support list for open source software in schools. > <<A href="mailto:k12osn@redhat.com">k12osn@redhat.com</A>> > > > Sent: Friday, April 20, 2007 7:55:47 AM > > > Subject: [K12OSN] OT: Stopping P2P sharing > > > > > > We are looking for a solution to stop file sharing on student owned > > > computers on our network. Anyone have a solution? > > > > > > -- > > > Mel Wade > > > "The real problem is not whether machines think but whether > men do." - BF > > > Skinner > > > <A href="http://www.melwade.com">http://www.melwade.com</A> _______________________________________________ > > > K12OSN mailing list > > > <A href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</A> > > > <A href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A> > > > For more info see <<A href="http://www.k12os.org">http://www.k12os.org</A>> > > > > > > > > > ------------------------------ > > > Ahhh...imagining that irresistible "new car" smell? > > > Check out new cars at Yahoo! > > > > Autos.<<A href="http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars">http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars</A>. > > > >html;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGs > DbmV3LWNh > > >cnM-> > > > > > > _______________________________________________ > > > K12OSN mailing list > > > <A href="mailto:K12OSN@redhat.com">K12OSN@redhat.com </A> > > > <A href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A> > > > For more info see <<A href="http://www.k12os.org">http://www.k12os.org </A>> > > -- > "History doesn't repeat itself; at best it rhymes." > - Mark Twain > > | John Lucas <A href="mailto:MrJohnLucas@gmail.com"> MrJohnLucas@gmail.com</A> > | > | St. Thomas, VI 00802 <A href="http://mrjohnlucas.googlepages.com/">http://mrjohnlucas.googlepages.com/</A> | | 18.3�N, 65�W AST (UTC-4) | _______________________________________________ K12OSN mailing list <A href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</A> <A href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn </A> For more info see <<A href="http://www.k12os.org">http://www.k12os.org</A>> _______________________________________________ K12OSN mailing list <A href="mailto:K12OSN@redhat.com">K12OSN@redhat.com </A> <A href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A> For more info see <<A href="http://www.k12os.org">http://www.k12os.org</A>> </BLOCKQUOTE></DIV> -- Mel Wade "The real problem is not whether machines think but whether men do." - BF Skinner <A href="http://www.melwade.com">http://www.melwade.com</A> </BLOCKQUOTE></BODY></HTML>