[K12OSN] OT: Stopping P2P sharing
John Lucas
mrjohnlucas at gmail.com
Fri Apr 20 22:11:44 UTC 2007
On Friday 20 April 2007 10:02, Mel Wade wrote:
> This is what I was thinking. I can effectively block P2P from the outside
> by blocking ports. The real problem is getting a handle on the large
> amount of file sharing going on within the network. I would really like to
> have something that would require monitoring software be in place in order
> to have access to the network. I'm guessing this would have to integrate
> into the switches themselves.
>
There are several technical approaches that come to mind, but they may create
more problems than the solve. In order for your users to exchange content
then they need to be allowed on the net, so you need to either prevent them
from connecting altogether, or you need to be able to allow access only to
authenticated users access and be able to monitor them.
The first case can be accomplished by "locking down" each switch port by MAC
address (for school computers) and disabling open ports (to prevent student
computers from being able to connect). This will reduce the usability of the
net (student computers can't use the net) and adds to the operational
difficulty of moves adds and changes. It also assumes that your switches are
"managed" instead of "dumb".
The second case assumes that you have an affective acceptable use policy that
that clearly identifies what may and may not take place on the network and
enforcing any violation. Many managed switches can be set up to require IEEE
802.1X authentication against a RADIUS server and can perform accounting so
you know what user is using which port at what times. Many switches also
allow any port to be mirrored to a "monitor port" to which you can attach a
protocol analyzer (allowing you to spot the "illegal" traffic). This requires
active monitoring and enforcment and may not be a good use of your time. If
you invested in expensive Layer 3 switches, it might be possible to prevent
inter-subnet P2P traffic (in a manner similar to that suggested for the
perimeter firwall above), but you would still be faced with intra-segment
sharing.
Wifi can be implemented using the same IEEE 802.1X authentication and
accounting as managed switches.
Once the perimeter is controlled (at the firewall) the other measures provide
diminishing returns due to the personnel time required for monitoring and
enforcement. I can't emphasize enough the vital importance of a clear and
enforcable Acceptable Use Policy, without that being understood by all
parties, you won't be able to enforce anything. Not all solutions are
technical.
I don't think there is a "silver bullet" to techincally solve this problem. If
ever there is, I predict it will be expensive.
> Mel
>
> On 4/20/07, EJBoshinski <mistrz.linux at yahoo.com> wrote:
> > Depending on the physical topology of your network, without a complete
> > network admission compliance policy it may be nearly impossible to
> > implement. Firewalls typically sit at the network edge and do not
> > mediate internal traffic, thus anything on your local subnet will pass
> > unabated unless a firewall is placed at each congregation point (ie -
> > read switch - however even this is incomlete as any traffic internal to
> > the switch will not encounter the firewall). The only complete solution
> > is to have NAC in place that stipulates rulesets that must be met before
> > access is granted to the network. This is where you can enforce your
> > network policies. If you don't meet our standards, you don't get on....
> > I did some work on this about a year ago with a MAJOR network gear
> > manufacturer's first step into this market - suffice it to say that the
> > solution at that time was incomplete and convoluted. However in the
> > interim I believe that the technology has improved sufficiently to be
> > able to achieve your desired results. The major hurdle is to get the
> > 'powers that be' to buy into the project and the underlying policies of
> > network access control....
> >
> > HTH,
> >
> > -ejb
> >
> > ----- Original Message ----
> > From: Mel Wade <mel at melwade.com>
> > To: Support list for open source software in schools. <k12osn at redhat.com>
> > Sent: Friday, April 20, 2007 7:55:47 AM
> > Subject: [K12OSN] OT: Stopping P2P sharing
> >
> > We are looking for a solution to stop file sharing on student owned
> > computers on our network. Anyone have a solution?
> >
> > --
> > Mel Wade
> > "The real problem is not whether machines think but whether men do." - BF
> > Skinner
> > http://www.melwade.com _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
> >
> > ------------------------------
> > Ahhh...imagining that irresistible "new car" smell?
> > Check out new cars at Yahoo!
> > Autos.<http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars.
> >html;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNh
> >cnM->
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
--
"History doesn't repeat itself; at best it rhymes."
- Mark Twain
| John Lucas MrJohnLucas at gmail.com |
| St. Thomas, VI 00802 http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W AST (UTC-4) |
More information about the K12OSN
mailing list