Re: Bittorrent - utorrent

["David J. Bianco" <david () vorant com>]

Tremaine Lea wrote:
> Those are not insignificant disadvantages, and is certainly not
> scalable.  If you deal with a small network this may work just fine.  If
> you have ~10,000 users and a lot of infrastructure it's not nearly so
> feasible.

Well, I monitor a campus network on a daily basis and I have to say
that the reporting approach works very well.  I do occasionally have to
contact a user (usually via email) to tell them they're not allowed to
use BitTorrent, but the rate is usually less than 1 per month.  I think
I could scale that up quite a bit.

Now, maybe the original poster does have an extremely large pool of
persistent BitTorrent users who are flagrantly trying to break the rules.
I wouldn't know.  If so, I guess an automated solution might make more
sense.  But really, unless you're swimming in cash, buying an appliance
just to cut back on BitTorrent traffic doesn't seem to make a lot of
sense.

On the other hand, you can easily collect session data on some older
hardware that might be laying around.  Using free open source
software, you can cobble together an alerting system that works well
and doesn't cost anything (or very little).

And yes, it can be quite scalable, as one data record per connection
isn't really a lot compared to today's huge hard drives.


> Effective monitoring that results in an audit trail you can take to HR
> requires more than a 'best guess'  or 'highly educated guess'.  You need
> to be able to prove it.  You also need to be able to prevent it.  A
> combination of a technical solution and an enforceable user policy
> should be preferred.

I don't disagree about the burden of proof, but you're adding a requirement
that the original poster did not specify.  No one said anything about
going to HR for BitTorrent use.

In any case, once you identify a possible BitTorrent user, you can
usually ask them about it.  If they happen to be in your domain, you
could even get an admin to examine the installed software, which would
turn up most P2P clients.  I do both, when necessary, and so far it's
not much of a burden.

Understand, I'm not trying to say that using an appliance is always
bad, but it's usually overkill if you're just trying to stop BitTorrent.
Ultimately, the original poster will have to decide if it's important
enough to shell out some money.  If that's what they need, fine.  But
if not, traffic analysis is quite a good alternative for most people.

        David

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------