IDS mailing list archives
Re: Bittorrent - utorrent
From: "David J. Bianco" <david () vorant com>
Date: Mon, 19 Mar 2007 17:14:04 -0400
Tremaine Lea wrote:
Those are not insignificant disadvantages, and is certainly not scalable. If you deal with a small network this may work just fine. If you have ~10,000 users and a lot of infrastructure it's not nearly so feasible.
Well, I monitor a campus network on a daily basis and I have to say that the reporting approach works very well. I do occasionally have to contact a user (usually via email) to tell them they're not allowed to use BitTorrent, but the rate is usually less than 1 per month. I think I could scale that up quite a bit. Now, maybe the original poster does have an extremely large pool of persistent BitTorrent users who are flagrantly trying to break the rules. I wouldn't know. If so, I guess an automated solution might make more sense. But really, unless you're swimming in cash, buying an appliance just to cut back on BitTorrent traffic doesn't seem to make a lot of sense. On the other hand, you can easily collect session data on some older hardware that might be laying around. Using free open source software, you can cobble together an alerting system that works well and doesn't cost anything (or very little). And yes, it can be quite scalable, as one data record per connection isn't really a lot compared to today's huge hard drives.
Effective monitoring that results in an audit trail you can take to HR requires more than a 'best guess' or 'highly educated guess'. You need to be able to prove it. You also need to be able to prevent it. A combination of a technical solution and an enforceable user policy should be preferred.
I don't disagree about the burden of proof, but you're adding a requirement that the original poster did not specify. No one said anything about going to HR for BitTorrent use. In any case, once you identify a possible BitTorrent user, you can usually ask them about it. If they happen to be in your domain, you could even get an admin to examine the installed software, which would turn up most P2P clients. I do both, when necessary, and so far it's not much of a burden. Understand, I'm not trying to say that using an appliance is always bad, but it's usually overkill if you're just trying to stop BitTorrent. Ultimately, the original poster will have to decide if it's important enough to shell out some money. If that's what they need, fine. But if not, traffic analysis is quite a good alternative for most people. David ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Bittorrent - utorrent, (continued)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 09)
- Re: Bittorrent - utorrent MichaĆ Melewski (Mar 09)
- RE: Bittorrent - utorrent Goran Pizent (Mar 09)
- RE: Bittorrent - utorrent Erick Jensen (Mar 09)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 12)
- Re: Bittorrent - utorrent Stephen Clowater (Mar 12)
- RE: Bittorrent - utorrent Velasquez Venegas Jaime Omar (Mar 12)
- Re: Bittorrent - utorrent Jex (Mar 12)
- Re: Bittorrent - utorrent David J. Bianco (Mar 19)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 19)
- Re: Bittorrent - utorrent David J. Bianco (Mar 19)
- Re: Bittorrent - utorrent Rocky (Mar 29)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 19)
- RE: Bittorrent - utorrent Bourque Daniel (Mar 19)
- Re: Bittorrent - utorrent Albert Gonzalez (Mar 20)
- RE: Bittorrent - utorrent Erick Jensen (Mar 20)
- RE: Bittorrent - utorrent Joshua Barnes (Mar 21)
- Re: Bittorrent - utorrent scott (Mar 22)
- Re: Bittorrent - utorrent Yan Zhai (Mar 26)