[K12OSN] OT: Stopping P2P sharing

Fri Apr 20 22:11:44 UTC 2007

On Friday 20 April 2007 10:02, Mel Wade wrote:
> This is what I was thinking.  I can effectively block P2P from the outside
> by blocking ports.  The real problem is getting a handle on the large
> amount of file sharing going on within the network.  I would really like to
> have something that would require monitoring software be in place in order
> to have access to the network.  I'm guessing this would have to integrate
> into the switches themselves.
>

There are several technical approaches that come to mind, but they may create 
more problems than the solve. In order for your users to exchange content 
then they need to be allowed on the net, so you need to either prevent them 
from connecting altogether, or you need to be able to allow access only to 
authenticated users access and be able to monitor them. 

The first case can be accomplished by "locking down" each switch port by MAC 
address (for school computers) and disabling open ports (to prevent student 
computers from being able to connect). This will reduce the usability of the 
net (student computers can't use the net) and adds to the operational 
difficulty of moves adds and changes. It also assumes that your switches are 
"managed" instead of "dumb".

The second case assumes that you have an affective acceptable use policy that 
that clearly identifies what may and may not take place on the network and 
enforcing any violation. Many managed switches can be set up to require IEEE 
802.1X authentication against a RADIUS server and can perform accounting so 
you know what user is using which port at what times. Many switches also 
allow any port to be mirrored to a "monitor port" to which you can attach a 
protocol analyzer (allowing you to spot the "illegal" traffic). This requires 
active monitoring and enforcment and may not be a good use of your time. If 
you invested in expensive Layer 3 switches, it might be possible to prevent 
inter-subnet P2P traffic (in a manner similar to that suggested for the 
perimeter firwall above), but you would still be faced with intra-segment 
sharing.

Wifi can be implemented using the same IEEE 802.1X authentication and 
accounting as managed switches. 

Once the perimeter is controlled (at the firewall) the other measures provide 
diminishing returns due to the personnel time required for monitoring and 
enforcement. I can't emphasize enough the vital importance of a clear and 
enforcable Acceptable Use Policy, without that being understood by all 
parties, you won't be able to enforce anything. Not all solutions are 
technical.

I don't think there is a "silver bullet" to techincally solve this problem. If 
ever there is, I predict it will be expensive.

> Mel
>
> On 4/20/07, EJBoshinski <mistrz.linux at yahoo.com> wrote:
> > Depending on the physical topology of your network, without a complete
> > network admission compliance policy it may be nearly impossible to
> > implement.  Firewalls typically sit at the network edge and do not
> > mediate internal traffic, thus anything on your local subnet will pass
> > unabated unless a firewall is placed at each congregation point (ie -
> > read switch - however even this is incomlete as any traffic internal to
> > the switch will not encounter the firewall).  The only complete solution
> > is to have NAC in place that stipulates rulesets that must be met before
> > access is granted to the network.  This is where you can enforce your
> > network policies.  If you don't meet our standards, you don't get on.... 
> > I did some work on this about a year ago with a MAJOR network gear
> > manufacturer's first step into this market - suffice it to say that the
> > solution at that time was incomplete and convoluted.  However in the
> > interim I believe that the technology has improved sufficiently to be
> > able to achieve your desired results.  The major hurdle is to get the
> > 'powers that be' to buy into the project and the underlying policies of
> > network access control....
> >
> > HTH,
> >
> > -ejb
> >
> > ----- Original Message ----
> > From: Mel Wade <mel at melwade.com>
> > To: Support list for open source software in schools. <k12osn at redhat.com>
> > Sent: Friday, April 20, 2007 7:55:47 AM
> > Subject: [K12OSN] OT: Stopping P2P sharing
> >
> > We are looking for a solution to stop file sharing on student owned
> > computers on our network.  Anyone have a solution?
> >
> > --
> > Mel Wade
> > "The real problem is not whether machines think but whether men do." - BF
> > Skinner
> > http://www.melwade.com _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
> >
> > ------------------------------
> > Ahhh...imagining that irresistible "new car" smell?
> > Check out new cars at Yahoo!
> > Autos.<http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars.
> >html;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNh
> >cnM->
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>

-- 
        "History doesn't repeat itself; at best it rhymes."
                        - Mark Twain

| John Lucas                          MrJohnLucas at gmail.com               |
| St. Thomas, VI 00802                http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W                        AST (UTC-4)                         |