To all: We use our NAC implementation at UNC to treat our students in ResNet like adults. They get a choice because we tell them we know what they are doing. The NAC client on machines (required to be in ResNet and no different than how we were already looking at them with IDS and IPS capabilities). They can digitally sign a "hall pass" which says that they are aware that they have P2P software ( we keep the list up to date) loaded and they agree they are not using it for illegal distribution of copyrighted material. If they are later found in violation of this agreement they have made, they know that they will go directly to an honor court violation hearing. Please see the following link for more information on this:
http://www.networkworld.com/news/2011/092911-unc-nac-251409.html We have several other academic departments that have been bitten in the past by P2P software and did/could be used for illegal download of confidential data. The NAC client in these locations (different NAC security profile than ResNet) when it sense that a listed P2P software is loaded, it immediately flips a policy on their authentication to the network that bars them from ANY network traffic. The admins in each department that has this has a window into our NAC so that they can tell what policy has been applied to that user so that is part of normal troubleshooting should the offending client point out a problem. Getting back to ResNet, we do not limit what students can do with bandwidth on campus. If a user is eating up high bandwidth on campus we have a number of ways of noting this and taking action. We have bandwidth limits for each ResNet user on the border routers so that the students are not allowed to eat up all access to the outside. As discussed above, our use of the "hall pass" in our NAC has resulted in a 90% reduction in copyright violations in our student population. I find some of the discussion some of you have posted on this interesting. It is as if some of you have requirements from your upper management not to offend any member of the student population. At UNC we have in our NAC implementation a very precise mechanism to take policy action on any user or device at any edge of the network. We treat our students like they are adults which is how they will be treated when they leave school and go to work in society. Mike Hawkins Associate Director of Networking University of North Carolina at Chapel Hill PS> Before any of you ask, our NAC is part of our Netsight NMS suite of software from Enterasys. From: Lucas Hazel [mailto:[email protected]] Sent: Thursday, September 13, 2012 9:00 PM To: Enterasys Customer Mailing List Cc: Cal Frye Subject: Re: [enterasys] Blocking bittorrent and P2P We're also using Procera to block bit torrent. You can actually get around blocking legitimate torrents such as Blizzard updates by using property inspection and controlling the agent string and which trackers can be contacted. Sure it fundamentally breaks how torrents are meant to work, but at least the students can get their game updates. At our university a lot of students are choosing to push their traffic through VPNs to get around the traffic inspection. On 14/09/12 00:23, Cal Frye wrote: Even with some packet shapers it can be difficult to get it all. Some clients are very adaptive, and if you block too many ports you'll find your P2P traffic running on port 80, or 53 instead! Is the problem with student-owned machines on your network or on your own machines? If the latter, desktop controls might be a more successful approach. It's hard to be too aggressive with this without having an impact on other, non P2P traffic. At that point it becomes a question of what other sorts of traffic you want to permit. We had to make exceptions for Warcraft updates, for example, as those take place via a BitTorrent mechanism. You may not have to worry about that without residence halls. Good luck! - Cal Frye, Oberlin College Patrick Printz wrote: > How do you block bittorrent and P2P traffic? Is it something that can be > done via policy or ACL's? I know I could do it with a packet shaper, but > we do not have one yet. I am just curious is someone else has thought of > some ingenious way of keeping this traffic contained. > > > > *Patrick Printz* > > *Network Infrastructure* > > > > Quinsigamond Community College > 670 West Boylston Street > Worcester, MA 01606-2092 > > w. 508-854-7517 > > c. 508-726-9529 > > > > > > "If a man is called a street sweeper, he should sweep streets even as > Michelangelo painted, or Beethoven composed music, or Shakespeare wrote > poetry. He should sweep streets so well that all the hosts of heaven > and Earth will pause to say, Here lived a great street sweeper who did > his job well." > > ~Martin Luther King, Jr. > > > > * --To unsubscribe from enterasys, send email to > [email protected]<mailto:[email protected]> > <mailto:[email protected]> with the body: unsubscribe enterasys > [email protected]<mailto:[email protected]> > -- Cal Frye, www.calfrye.com<http://www.calfrye.com> --- To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
