Re: Online Gaming (Xbox, PS3, Wii, PC Games, and Future Consoles etc.)

[Daniel Bennett <dbennett () PCT EDU>]

We allow game consoles at Penn College.  We recently implemented 802.1x on Wireless so we created an Internet Only SSID 
for game consoles.  Students must register their MAC address of the Game Console in order to be able to use the special 
network.  So far it was worked out well.  We use a packet shaper to throttle traffic giving college related business 
more priority than gaming.  However we supply enough bandwidth to support computer games and game consoles.


Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Casey, J 
Bart
Sent: Wednesday, September 03, 2008 11:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Online Gaming (Xbox, PS3, Wii, PC Games, and Future Consoles etc.)

All,

I submitted this to the NetMan listserv but thought since a large portion of this is security related, I might submit 
it here as well.  Your thoughts and comments are appreciated.

Much to my dismay, we are entertaining the possibility of allowing gaming consoles on our network to communicate to 
other hosts on the internet.  I would like to inquire as to what others are doing.  Briefly, I have the following 
concerns:


1.       Buying additional IPs from ARIN and performing static NAT for all hosts in Residence Halls to allow inbound 
connections

2.       Bandwidth utilization

3.       Restructuring the network to allow for this

4.       Several security concerns

My options as I see them with responses relative to my concerns are as follows:


1.       Don't allow it. (Great from every perspective except the political ones)

a.       Additional IPs and Static NAT - non issue

b.      Bandwidth - non issue

c.       Restructuring the network - non issue

d.      Security - non issue (above current concerns)

2.       Allow students to purchase cable modems (We already do this but I'm not a big fan.  However, it helps give us 
an out in situations like this.)

a.       Additional IPs and Static NAT - non issue

b.      Bandwidth - non issue

c.       Restructuring the network - non issue

d.      Security - a bit more of a security concern for intentional or unintentional firewall bypass.  (There is a 
solution to this in 802.1x)

3.       Buy a /19 from ARIN (if we can justify it to ARINs satisfaction) and perform static translations for residence 
halls and open the ports (Biggest Security Concern)

a.       Additional IPs and Static NAT - Certainly an issue from a cost perspective and justifying the need for the 
addresses

b.      Bandwidth - I see this need going up by at least 25%

c.       Restructuring the network - I see no way around this as a result of additional IPs and static NAT

d.      Security - I see this as being a huge issue since our residence networks are currently on our LAN and have 
access to our Windows domain among other things.

4.       Continue moving forward with our intended 802.1x implementation with a guest VLAN.  Game consoles would be put 
into guest VLAN which doesn't touch our internal network.

a.       Additional IPs and Static NAT - Less of an issue than number 3 because we can most likely get by with a /23 
from our ISP as opposed to going to ARIN.  Worst case, a /20.

b.      Bandwidth - I see this need going up by at least 25%

c.       Restructuring the network - I don't see this as an issue because the network is ready for 802.1x and guest 
VLANs.  Our only problem at this point is more of a social one and less of a  technical one.

d.      Security - Not as much of a concern because the guest VLAN would be isolated.  If users wanted to be on the 
internal network, they would have to "give up" their gaming during that time.  However, once they were done on the 
internal network, they could then go back to the guest network by simply unplugging their PCs and plugging in their 
consoles.   ***Note, when users are placed in the guest network, they are splashed with an agreement that they must 
accept to proceed.  Part of that agreement would state that security is weakened as provisions have been made in the 
firewall to allow gaming communication.

My questions are as follows:


1.       What are the thoughts of the group on this?

2.       Have I missed any less obvious concerns?

3.       Have I missed any potential options?

4.       Are there any "gotchas"

5.       Do you allow this sort of connectivity?  If yes, please answer the other questions below.

a.       How do you allow for this (option 2, 3, 4, or other)

b.      How does this affect your bandwidth (If anyone has traffic charts specific to this, I would be very interested 
in seeing them)?

                                                                i.      What percentage of your traffic is gaming

                                                               ii.      What percentage of your traffic is HTTP/Video 
Streaming

                                                             iii.      With regards to gaming, what is the ratio of 
ingress to egress bandwidth

c.       Do you provide this for all users or is it on a case by case basis?  If case by case, is it a management 
nightmare?



Thank you all for your time.  Please feel free to contact me off list if you need to.

Regards,

J. Bart Casey
Network Engineer
Wofford College