[K12OSN] OT: Stopping P2P sharing

Mel Wade mel at melwade.com
Fri Apr 20 23:46:20 UTC 2007 

Yes, and since we are a boarding high school there are safety and legal
issues as well as AUP enforcement.

On 4/20/07, Steven Santos <steven at simplycircus.com> wrote:
>
>  Is this causing bandwidth problems for your network?
>
>  ------------------------------
>  Steven Santos
> Director, Simply Circus, Inc.
> Email: Steven at SimplyCircus.com
>  Mail: 14 Pierrepont Road
>        Newton, MA 02462
> Phone: 617-527-0667
>   Web: www.SimplyCircus.com <http://www.simplycircus.com/>
>
>
> -----Original Message-----
> *From:* k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com]*On
> Behalf Of *Mel Wade
> *Sent:* Friday, April 20, 2007 7:33 PM
> *To:* Support list for open source software in schools.
> *Subject:* Re: [K12OSN] OT: Stopping P2P sharing
>
> We have movies, music, etc being shared across the network.
>
> I found this product but it starts at about $22k with discount and runs up
> to about $100k for our application.
> *http://tinyurl.com/2cqt6y
>
> *Great product but too much money.  I wish there was an open source
> solution for NAC.
>
> On 4/20/07, Steven Santos < steven at simplycircus.com> wrote:
> >
> > I have read a lot of what I would call heavy handed technical aproaches
> > to this.  What I still don't understand is exactly what kind of file sharing
> > you are trying to prevent, and why.
> >
> >
> >
> >   _____
> >
> > Steven Santos
> > Director, Simply Circus, Inc.
> > Email: Steven at SimplyCircus.com
> > Mail: 14 Pierrepont Road
> >        Newton, MA 02462
> > Phone: 617-527-0667
> >   Web: www.SimplyCircus.com <http://www.SimplyCircus.com>
> >
> >
> >
> > > -----Original Message-----
> > > From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com]On
> > > Behalf Of John Lucas
> > > Sent: Friday, April 20, 2007 6:12 PM
> > > To: k12osn at redhat.com
> > > Subject: Re: [K12OSN] OT: Stopping P2P sharing
> > >
> > >
> > > On Friday 20 April 2007 10:02, Mel Wade wrote:
> > > > This is what I was thinking.  I can effectively block P2P from
> > > the outside
> > > > by blocking ports.  The real problem is getting a handle on the
> > large
> > > > amount of file sharing going on within the network.  I would
> > > really like to
> > > > have something that would require monitoring software be in
> > > place in order
> > > > to have access to the network.  I'm guessing this would have to
> > > integrate
> > > > into the switches themselves.
> > > >
> > >
> > > There are several technical approaches that come to mind, but
> > > they may create
> > > more problems than the solve. In order for your users to exchange
> > content
> > > then they need to be allowed on the net, so you need to either
> > > prevent them
> > > from connecting altogether, or you need to be able to allow
> > > access only to
> > > authenticated users access and be able to monitor them.
> > >
> > > The first case can be accomplished by "locking down" each switch
> > > port by MAC
> > > address (for school computers) and disabling open ports (to
> > > prevent student
> > > computers from being able to connect). This will reduce the
> > > usability of the
> > > net (student computers can't use the net) and adds to the operational
> > > difficulty of moves adds and changes. It also assumes that your
> > > switches are
> > > "managed" instead of "dumb".
> > >
> > > The second case assumes that you have an affective acceptable use
> > > policy that
> > > that clearly identifies what may and may not take place on the
> > > network and
> > > enforcing any violation. Many managed switches can be set up to
> > > require IEEE
> > > 802.1X authentication against a RADIUS server and can perform
> > > accounting so
> > > you know what user is using which port at what times. Many switches
> > also
> > > allow any port to be mirrored to a "monitor port" to which you
> > > can attach a
> > > protocol analyzer (allowing you to spot the "illegal" traffic).
> > > This requires
> > > active monitoring and enforcment and may not be a good use of
> > > your time. If
> > > you invested in expensive Layer 3 switches, it might be possible
> > > to prevent
> > > inter-subnet P2P traffic (in a manner similar to that suggested for
> > the
> > > perimeter firwall above), but you would still be faced with
> > intra-segment
> > > sharing.
> > >
> > > Wifi can be implemented using the same IEEE 802.1X authentication and
> > > accounting as managed switches.
> > >
> > > Once the perimeter is controlled (at the firewall) the other
> > > measures provide
> > > diminishing returns due to the personnel time required for monitoring
> > and
> > > enforcement. I can't emphasize enough the vital importance of a clear
> > and
> > > enforcable Acceptable Use Policy, without that being understood by all
> >
> > > parties, you won't be able to enforce anything. Not all solutions are
> > > technical.
> > >
> > > I don't think there is a "silver bullet" to techincally solve
> > > this problem. If
> > > ever there is, I predict it will be expensive.
> > >
> > > > Mel
> > > >
> > > > On 4/20/07, EJBoshinski <mistrz.linux at yahoo.com> wrote:
> > > > > Depending on the physical topology of your network, without a
> > complete
> > > > > network admission compliance policy it may be nearly impossible to
> > > > > implement.  Firewalls typically sit at the network edge and do not
> > > > > mediate internal traffic, thus anything on your local subnet will
> > pass
> > > > > unabated unless a firewall is placed at each congregation point
> > (ie -
> > > > > read switch - however even this is incomlete as any traffic
> > > internal to
> > > > > the switch will not encounter the firewall).  The only
> > > complete solution
> > > > > is to have NAC in place that stipulates rulesets that must be
> > > met before
> > > > > access is granted to the network.  This is where you can enforce
> > your
> > > > > network policies.  If you don't meet our standards, you don't
> > > get on....
> > > > > I did some work on this about a year ago with a MAJOR network gear
> > > > > manufacturer's first step into this market - suffice it to
> > > say that the
> > > > > solution at that time was incomplete and convoluted.  However in
> > the
> > > > > interim I believe that the technology has improved sufficiently to
> > be
> > > > > able to achieve your desired results.  The major hurdle is to get
> > the
> > > > > 'powers that be' to buy into the project and the underlying
> > > policies of
> > > > > network access control....
> > > > >
> > > > > HTH,
> > > > >
> > > > > -ejb
> > > > >
> > > > > ----- Original Message ----
> > > > > From: Mel Wade < mel at melwade.com>
> > > > > To: Support list for open source software in schools.
> > > <k12osn at redhat.com>
> > > > > Sent: Friday, April 20, 2007 7:55:47 AM
> > > > > Subject: [K12OSN] OT: Stopping P2P sharing
> > > > >
> > > > > We are looking for a solution to stop file sharing on student
> > owned
> > > > > computers on our network.  Anyone have a solution?
> > > > >
> > > > > --
> > > > > Mel Wade
> > > > > "The real problem is not whether machines think but whether
> > > men do." - BF
> > > > > Skinner
> > > > > http://www.melwade.com_______________________________________________
> > > > > K12OSN mailing list
> > > > > K12OSN at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/k12osn
> > > > > For more info see <http://www.k12os.org>
> > > > >
> > > > >
> > > > > ------------------------------
> > > > > Ahhh...imagining that irresistible "new car" smell?
> > > > > Check out new cars at Yahoo!
> > > > >
> > > Autos.<
> > http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars.
> > > >
> > > >html;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGs
> > > DbmV3LWNh
> > > > >cnM->
> > > > >
> > > > > _______________________________________________
> > > > > K12OSN mailing list
> > > > > K12OSN at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/k12osn
> > > > > For more info see <http://www.k12os.org >
> > >
> > > --
> > >         "History doesn't repeat itself; at best it rhymes."
> > >                         - Mark Twain
> > >
> > > | John Lucas                           MrJohnLucas at gmail.com
> > >         |
> > > | St. Thomas, VI 00802
> > http://mrjohnlucas.googlepages.com/ |
> > | 18.3�N, 65�W                        AST
> > (UTC-4)                         |
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
> >
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
>
>
>
> --
> Mel Wade
> "The real problem is not whether machines think but whether men do." - BF
> Skinner
> http://www.melwade.com
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>



-- 
Mel Wade
"The real problem is not whether machines think but whether men do." - BF
Skinner
http://www.melwade.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070420/5c268d95/attachment.htm>

More information about the K12OSN mailing list