Re: How do you handle the P2P problem?

[Steve Bernard <sbernard () GMU EDU>]

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Clyde Hoadley
Sent: Wednesday, November 12, 2003 1:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] How do you handle the P2P problem?


I'm looking for simple and low cost solutions to some difficult problems.

How do you accurately detect illegal peer-to-peer file sharing activity?

How do you accurately identify and locate a user who is engaging in illegal
peer-to-peer file sharing?

Metro State does have some problems with illegal peer-to-peer file sharing
however, we are solely a commuter campus.  We do not have dormitories etc...
to support.  So, our P2P problem probably isn't as big as some other
institutions P2P problems.

Most of our network uses DHCP addresses.  We are not using MAC address
authorization at this time.  We have a single Internet gateway.  We are
doing Ingress filtering - permitting incoming connections for specific
port/protocols to specific hosts.  We do limited Egress filtering -
permitting
almost any outgoing connection.  We also have SNORT watching the gateway
traffic but have most of the rules turned off due to the high volume of
false positives.  We could deny high port to high port connections but that
would also stop a lot of very legitimate traffic.

We have not received any subpoenas but we do occasionally receive an Email
notice of Copyright infringement.  How are the rest of you dealing with
the illegal peer-to-peer file sharing problem?

--
Clyde Hoadley
Security & Disaster Recovery Coordinator
Division of Information Technology
Metropolitan State College of Denver
hoadleyc () mscd edu
http://clem.mscd.edu/~hoadleyc/
(303) 556-5074
-----End Original Message-----


Accurately identifying all P2P traffic from amongst otherwise open Internet
access, and more specifically, just the illegal file sharing is going to be
expensive, complicated, and time consuming, if not impossible. If you are
not having a significant legal problem, and want to proceed using the least
amount of capital, I suggest enumerating the common port combinations
(client/server) for the most prevalent P2P applications and then creating
specific packet filtering rules or ACLs necessary to block those. Once you
have these defined you can use Snort to audit the effectiveness of your
filtering by watching those specific IP addresses, ports, and/or P2P
application signatures. Be aware that applications such as IRC, ICQ, and AOL
are commonly used to transfer files although they often aren't grouped with
P2P file sharing applications. If you block the standard P2P and then see
AOL or IRC traffic skyrocket it could tip you off to this sort of activity.
You may also want to consider implementing HTTP and/or FTP proxies to
control the transfer of files using these protocols, and "rogue" traffic
using port 80. Many P2P applications can or do use port 80 as a method of
circumventing basic packet filtering.


Regards,

Steve

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.