Educause Security Discussion mailing list archives

Re: How do you handle the P2P problem?

From: Mark Poepping <poepping () CMU EDU>
Date: Thu, 13 Nov 2003 08:47:33 -0500

Just to add to these comments..

P2P is not illegal - in fact it's an interesting and useful computing paradigm
that's still in the early stages of the upswing.

Argus or netflow/sflow utilities provide significant additional capability
(imho) over a snort-only implementation.  They are traffic audit utilities
(think Internet call records), not IDS (as is snort), so the information is
different, and much more useful for tracking topn types of things (i.e. top
talkers: ports, hosts, nets)..  The resulting information is generally
privacy-sensitive (think call records), but it is highly valuable for complex
network management functions (utilization, capacity planning, etc).

A few links you might investigate..
        www.qosient.com/argus
        www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
        www.sflow.org
        www.arbornetworks.com
mark.

---
Mark Poepping
Computing Services, Carnegie Mellon

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Bernard
Sent: Wednesday, November 12, 2003 5:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] How do you handle the P2P problem?

Accurately identifying all P2P traffic from amongst otherwise open Internet
access, and more specifically, just the illegal file sharing is going to be
expensive, complicated, and time consuming, if not impossible. If you are
not having a significant legal problem, and want to proceed using the least
amount of capital, I suggest enumerating the common port combinations
(client/server) for the most prevalent P2P applications and then creating
specific packet filtering rules or ACLs necessary to block those. Once you
have these defined you can use Snort to audit the effectiveness of your
filtering by watching those specific IP addresses, ports, and/or P2P
application signatures. Be aware that applications such as IRC, ICQ, and AOL
are commonly used to transfer files although they often aren't grouped with
P2P file sharing applications. If you block the standard P2P and then see
AOL or IRC traffic skyrocket it could tip you off to this sort of activity.
You may also want to consider implementing HTTP and/or FTP proxies to
control the transfer of files using these protocols, and "rogue" traffic
using port 80. Many P2P applications can or do use port 80 as a method of
circumventing basic packet filtering.

Regards,

Steve


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

How do you handle the P2P problem? Clyde Hoadley (Nov 12)
- <Possible follow-ups>
- Re: How do you handle the P2P problem? Steve Bernard (Nov 12)
- Re: How do you handle the P2P problem? Peter Charbonneau (Nov 13)
- Re: How do you handle the P2P problem? Mark Poepping (Nov 13)
- Re: How do you handle the P2P problem? Bradford B. Saul (Nov 13)
- Re: How do you handle the P2P problem? Dan Updegrove (Nov 13)
- Re: How do you handle the P2P problem? Bob Kalal (Nov 13)
- Re: How do you handle the P2P problem? Bruhn, Mark S. (Nov 13)
- Re: How do you handle the P2P problem? Bob Kalal (Nov 13)
- Re: How do you handle the P2P problem? Wada, Kent (Nov 13)
- Re: How do you handle the P2P problem? Bob Kalal (Nov 13)
- Re: How do you handle the P2P problem? Bruce Purcell (Nov 13)
- Re: How do you handle the P2P problem? Dan Updegrove (Nov 14)
- Re: How do you handle the P2P problem? Tracy Mitrano (Nov 14)

(Thread continues...)