Online Gaming (Xbox, PS3, Wii, PC Games, and Future Consoles etc.)

["Casey, J Bart" <CaseyJB () WOFFORD EDU>]

All,

 

I submitted this to the NetMan listserv but thought since a large
portion of this is security related, I might submit it here as well.
Your thoughts and comments are appreciated.

 

Much to my dismay, we are entertaining the possibility of allowing
gaming consoles on our network to communicate to other hosts on the
internet.  I would like to inquire as to what others are doing.
Briefly, I have the following concerns:

 

1.       Buying additional IPs from ARIN and performing static NAT for
all hosts in Residence Halls to allow inbound connections

2.       Bandwidth utilization

3.       Restructuring the network to allow for this

4.       Several security concerns

 

My options as I see them with responses relative to my concerns are as
follows:

 

1.       Don't allow it. (Great from every perspective except the
political ones)

a.       Additional IPs and Static NAT - non issue

b.      Bandwidth - non issue

c.       Restructuring the network - non issue

d.      Security - non issue (above current concerns)

2.       Allow students to purchase cable modems (We already do this but
I'm not a big fan.  However, it helps give us an out in situations like
this.)

a.       Additional IPs and Static NAT - non issue

b.      Bandwidth - non issue

c.       Restructuring the network - non issue

d.      Security - a bit more of a security concern for intentional or
unintentional firewall bypass.  (There is a solution to this in 802.1x)

3.       Buy a /19 from ARIN (if we can justify it to ARINs
satisfaction) and perform static translations for residence halls and
open the ports (Biggest Security Concern)

a.       Additional IPs and Static NAT - Certainly an issue from a cost
perspective and justifying the need for the addresses

b.      Bandwidth - I see this need going up by at least 25%

c.       Restructuring the network - I see no way around this as a
result of additional IPs and static NAT

d.      Security - I see this as being a huge issue since our residence
networks are currently on our LAN and have access to our Windows domain
among other things.

4.       Continue moving forward with our intended 802.1x implementation
with a guest VLAN.  Game consoles would be put into guest VLAN which
doesn't touch our internal network.

a.       Additional IPs and Static NAT - Less of an issue than number 3
because we can most likely get by with a /23 from our ISP as opposed to
going to ARIN.  Worst case, a /20. 

b.      Bandwidth - I see this need going up by at least 25%

c.       Restructuring the network - I don't see this as an issue
because the network is ready for 802.1x and guest VLANs.  Our only
problem at this point is more of a social one and less of a  technical
one.

d.      Security - Not as much of a concern because the guest VLAN would
be isolated.  If users wanted to be on the internal network, they would
have to "give up" their gaming during that time.  However, once they
were done on the internal network, they could then go back to the guest
network by simply unplugging their PCs and plugging in their consoles.
***Note, when users are placed in the guest network, they are splashed
with an agreement that they must accept to proceed.  Part of that
agreement would state that security is weakened as provisions have been
made in the firewall to allow gaming communication. 

 

My questions are as follows:

 

1.       What are the thoughts of the group on this?

2.       Have I missed any less obvious concerns?

3.       Have I missed any potential options?

4.       Are there any "gotchas"

5.       Do you allow this sort of connectivity?  If yes, please answer
the other questions below.

a.       How do you allow for this (option 2, 3, 4, or other)

b.      How does this affect your bandwidth (If anyone has traffic
charts specific to this, I would be very interested in seeing them)?

                                                                i.
What percentage of your traffic is gaming

                                                               ii.
What percentage of your traffic is HTTP/Video Streaming

                                                             iii.
With regards to gaming, what is the ratio of ingress to egress bandwidth

c.       Do you provide this for all users or is it on a case by case
basis?  If case by case, is it a management nightmare?

 

 

 

Thank you all for your time.  Please feel free to contact me off list if
you need to.

 

Regards,

 

J. Bart Casey

Network Engineer

Wofford College