Re: classifying P2P traffic

[Alex <alex.everett () UNC EDU>]

Jason:

Your email mentioned monitoring, not necessarily taking some action.
Also, I dont think monitoring notices is the best strategy for determining
success.
Some of the newer applications present challenges for accurately
implementing some policy (like rate-limit or block ares-warez).
It is difficult to accurately identify every flow for some of these
applications.
Many of these applications support many protocols.
Limewire supports TLS, and Ares-Warez has supported some form of encrypted
communications for some time.

At University of North Carolina, we use TippingPoint intrusion prevention
systems for enforcing a peer-to-peer policy.
TippingPoint has been very helpful and worked with us, especially with the
latest version of LimeWire.
However, we are still challenged with technical hurdles posed by AresWarez.
It seems that only some of the flows can be accurately identified.
This leaves us with blocking all the users traffic, or letting some traffic
by.
As far as monitoring alone, what we use works very well.
We mainly see bittorrent, utorrent, limewire, and areswarez applications.

As an aside, what are other institutions doing for BitTorrent - an
application with much more legitimate use?
Anyone decided that the work involved in handling notices and possible
litigation makes it not worth it?


Alex Everett, CISSP
University of North Carolina


-----Original Message-----
From: Hughes, Scott [mailto:hughess () CENTENARYCOLLEGE EDU]
Sent: Tuesday, January 29, 2008 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] classifying P2P traffic

We are using Packeteer with great success blocking P2P traffic.

Scott C Hughes
CTO
Centenary College
Hackettstown, N.J.

-----Original Message-----
From: Consolvo, Corbett D [mailto:cc72 () TXSTATE EDU]
Sent: Tuesday, January 29, 2008 10:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] classifying P2P traffic

Jason,
  We are currently using Tipping Point to monitor/block which has been
mostly very successful.  We are also in the process of deploying Facetime's
RTGuardian solution for spyware - it also has a P2P section that looks
pretty sharp.  If you are interested I can keep you informed of our progress
on that (we just deployed it in test in a small area last night)

We think we are catching at least most P2P (based on RIAA notices :) ).
Also, our traffic patterns seem pretty healthy.

Thanks,
Corbett Consolvo
Information Security Analyst
Texas State University
Cc72 () txstate edu


-----Original Message-----
From: Youngquist, Jason R. [mailto:jryoungquist () CCIS EDU]
Sent: Tuesday, January 29, 2008 8:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] classifying P2P traffic

What devices are you using to monitor P2P traffic and how well are they
working for you?  Is there some P2P traffic that you believe your monitoring
software isn't catching?  Ie. encrypted traffic, outdated P2P definitions
from the vendor, etc.


Thanks.
Jason Youngquist
jryoungquist () ccis edu

Attachment: smime.p7s
Description: