<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=391003523-20042007><FONT face="Courier New">Is this causing
bandwidth problems for your network?</FONT></SPAN></DIV>
<DIV> </DIV><FONT size=2><FONT face="Courier New">
<DIV>
<HR>
</DIV>
<DIV>Steven Santos<BR>Director, Simply Circus, Inc.<BR>Email:
Steven@SimplyCircus.com<BR> Mail: 14 Pierrepont
Road<BR> Newton, MA 02462<BR>Phone:
617-527-0667<BR> Web: <A
href="http://www.simplycircus.com/">www.SimplyCircus.com</A> </DIV>
<DIV></FONT> </FONT></DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> k12osn-bounces@redhat.com
[mailto:k12osn-bounces@redhat.com]<B>On Behalf Of </B>Mel Wade<BR><B>Sent:</B>
Friday, April 20, 2007 7:33 PM<BR><B>To:</B> Support list for open source
software in schools.<BR><B>Subject:</B> Re: [K12OSN] OT: Stopping P2P
sharing<BR><BR></FONT></DIV>We have movies, music, etc being shared across the
network.<BR><BR>I found this product but it starts at about $22k with discount
and runs up to about $100k for our application.<BR><B><A
href="http://tinyurl.com/2cqt6y">http://tinyurl.com/2cqt6y
</A><BR><BR></B>Great product but too much money. I wish there was an
open source solution for NAC.<BR><BR>
<DIV><SPAN class=gmail_quote>On 4/20/07, <B class=gmail_sendername>Steven
Santos</B> <<A href="mailto:steven@simplycircus.com">
steven@simplycircus.com</A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">I
have read a lot of what I would call heavy handed technical aproaches to
this. What I still don't understand is exactly what kind of file
sharing you are trying to prevent, and why.
<BR><BR><BR><BR> _____<BR><BR>Steven Santos<BR>Director, Simply
Circus, Inc.<BR>Email: <A
href="mailto:Steven@SimplyCircus.com">Steven@SimplyCircus.com</A><BR>Mail:
14 Pierrepont Road<BR> Newton, MA
02462<BR>Phone: 617-527-0667 <BR> Web: <A
href="http://www.SimplyCircus.com">www.SimplyCircus.com</A> <<A
href="http://www.SimplyCircus.com">http://www.SimplyCircus.com</A>><BR><BR><BR><BR>>
-----Original Message-----<BR>> From: <A
href="mailto:k12osn-bounces@redhat.com">k12osn-bounces@redhat.com</A>
[mailto:<A
href="mailto:k12osn-bounces@redhat.com">k12osn-bounces@redhat.com</A>]On<BR>>
Behalf Of John Lucas<BR>> Sent: Friday, April 20, 2007 6:12 PM<BR>>
To: <A href="mailto:k12osn@redhat.com">k12osn@redhat.com</A><BR>>
Subject: Re: [K12OSN] OT: Stopping P2P sharing<BR>><BR>><BR>> On
Friday 20 April 2007 10:02, Mel Wade wrote:<BR>> > This is what I was
thinking. I can effectively block P2P from <BR>> the
outside<BR>> > by blocking ports. The real problem is
getting a handle on the large<BR>> > amount of file sharing going on
within the network. I would<BR>> really like to<BR>> >
have something that would require monitoring software be in <BR>> place
in order<BR>> > to have access to the network. I'm guessing
this would have to<BR>> integrate<BR>> > into the switches
themselves.<BR>> ><BR>><BR>> There are several technical
approaches that come to mind, but <BR>> they may create<BR>> more
problems than the solve. In order for your users to exchange content<BR>>
then they need to be allowed on the net, so you need to either<BR>>
prevent them<BR>> from connecting altogether, or you need to be able to
allow <BR>> access only to<BR>> authenticated users access and be able
to monitor them.<BR>><BR>> The first case can be accomplished by
"locking down" each switch<BR>> port by MAC<BR>> address (for school
computers) and disabling open ports (to <BR>> prevent student<BR>>
computers from being able to connect). This will reduce the<BR>>
usability of the<BR>> net (student computers can't use the net) and adds
to the operational<BR>> difficulty of moves adds and changes. It also
assumes that your <BR>> switches are<BR>> "managed" instead of
"dumb".<BR>><BR>> The second case assumes that you have an affective
acceptable use<BR>> policy that<BR>> that clearly identifies what may
and may not take place on the <BR>> network and<BR>> enforcing any
violation. Many managed switches can be set up to<BR>> require
IEEE<BR>> 802.1X authentication against a RADIUS server and can
perform<BR>> accounting so<BR>> you know what user is using which port
at what times. Many switches also <BR>> allow any port to be mirrored to
a "monitor port" to which you<BR>> can attach a<BR>> protocol analyzer
(allowing you to spot the "illegal" traffic).<BR>> This requires<BR>>
active monitoring and enforcment and may not be a good use of <BR>> your
time. If<BR>> you invested in expensive Layer 3 switches, it might be
possible<BR>> to prevent<BR>> inter-subnet P2P traffic (in a manner
similar to that suggested for the<BR>> perimeter firwall above), but you
would still be faced with intra-segment <BR>> sharing.<BR>><BR>>
Wifi can be implemented using the same IEEE 802.1X authentication
and<BR>> accounting as managed switches.<BR>><BR>> Once the
perimeter is controlled (at the firewall) the other<BR>> measures
provide<BR>> diminishing returns due to the personnel time required for
monitoring and<BR>> enforcement. I can't emphasize enough the vital
importance of a clear and<BR>> enforcable Acceptable Use Policy, without
that being understood by all <BR>> parties, you won't be able to enforce
anything. Not all solutions are<BR>> technical.<BR>><BR>> I don't
think there is a "silver bullet" to techincally solve<BR>> this problem.
If<BR>> ever there is, I predict it will be expensive.<BR>><BR>>
> Mel<BR>> ><BR>> > On 4/20/07, EJBoshinski <<A
href="mailto:mistrz.linux@yahoo.com">mistrz.linux@yahoo.com</A>>
wrote:<BR>> > > Depending on the physical topology of your network,
without a complete <BR>> > > network admission compliance policy it
may be nearly impossible to<BR>> > >
implement. Firewalls typically sit at the network edge and do
not<BR>> > > mediate internal traffic, thus anything on your local
subnet will pass <BR>> > > unabated unless a firewall is placed at
each congregation point (ie -<BR>> > > read switch - however even
this is incomlete as any traffic<BR>> internal to<BR>> > > the
switch will not encounter the firewall). The only <BR>>
complete solution<BR>> > > is to have NAC in place that stipulates
rulesets that must be<BR>> met before<BR>> > > access is granted
to the network. This is where you can enforce your<BR>> >
> network policies. If you don't meet our standards, you don't
<BR>> get on....<BR>> > > I did some work on this about a year
ago with a MAJOR network gear<BR>> > > manufacturer's first step
into this market - suffice it to<BR>> say that the<BR>> > >
solution at that time was incomplete and convoluted. However in
the <BR>> > > interim I believe that the technology has improved
sufficiently to be<BR>> > > able to achieve your desired
results. The major hurdle is to get the<BR>> > > 'powers
that be' to buy into the project and the underlying <BR>> policies
of<BR>> > > network access control....<BR>> > ><BR>>
> > HTH,<BR>> > ><BR>> > > -ejb<BR>> >
><BR>> > > ----- Original Message ----<BR>> > > From:
Mel Wade < <A
href="mailto:mel@melwade.com">mel@melwade.com</A>><BR>> > > To:
Support list for open source software in schools.<BR>> <<A
href="mailto:k12osn@redhat.com">k12osn@redhat.com</A>><BR>> > >
Sent: Friday, April 20, 2007 7:55:47 AM <BR>> > > Subject: [K12OSN]
OT: Stopping P2P sharing<BR>> > ><BR>> > > We are looking
for a solution to stop file sharing on student owned<BR>> > >
computers on our network. Anyone have a solution? <BR>> >
><BR>> > > --<BR>> > > Mel Wade<BR>> > > "The
real problem is not whether machines think but whether<BR>> men do." -
BF<BR>> > > Skinner<BR>> > > <A
href="http://www.melwade.com">http://www.melwade.com</A>
_______________________________________________<BR>> > > K12OSN
mailing list<BR>> > > <A
href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</A><BR>> > > <A
href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A><BR>>
> > For more info see <<A
href="http://www.k12os.org">http://www.k12os.org</A>> <BR>> >
><BR>> > ><BR>> > >
------------------------------<BR>> > > Ahhh...imagining that
irresistible "new car" smell?<BR>> > > Check out new cars at
Yahoo!<BR>> > > <BR>> Autos.<<A
href="http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars">http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars</A>.<BR>>
><BR>>
>html;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGs
<BR>> DbmV3LWNh<BR>> > >cnM-><BR>> > ><BR>> >
> _______________________________________________<BR>> > >
K12OSN mailing list<BR>> > > <A
href="mailto:K12OSN@redhat.com">K12OSN@redhat.com </A><BR>> > > <A
href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A><BR>>
> > For more info see <<A
href="http://www.k12os.org">http://www.k12os.org </A>><BR>><BR>>
--<BR>> "History doesn't
repeat itself; at best it
rhymes."<BR>>
- Mark Twain<BR>><BR>> | John
Lucas <A
href="mailto:MrJohnLucas@gmail.com">
MrJohnLucas@gmail.com</A><BR>>
|<BR>> | St. Thomas, VI 00802<BR><A
href="http://mrjohnlucas.googlepages.com/">http://mrjohnlucas.googlepages.com/</A>
|<BR>| 18.3°N,
65°W AST
(UTC-4)
| <BR><BR>_______________________________________________<BR>K12OSN mailing
list<BR><A href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</A><BR><A
href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn
</A><BR>For more info see <<A
href="http://www.k12os.org">http://www.k12os.org</A>><BR><BR><BR><BR>_______________________________________________<BR>K12OSN
mailing list<BR><A href="mailto:K12OSN@redhat.com">K12OSN@redhat.com
</A><BR><A
href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A><BR>For
more info see <<A
href="http://www.k12os.org">http://www.k12os.org</A>><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Mel Wade<BR>"The real problem is not whether machines
think but whether men do." - BF Skinner<BR><A
href="http://www.melwade.com">http://www.melwade.com</A>
</BLOCKQUOTE></BODY></HTML>