Re: Gaming and dorm students

["Loftus, Steven E" <seloftus () MCKENDREE EDU>]

At my location bandwidth is a serious concern due to availability - we are a small university and the local 
infrastructure cannot provide above about 100Mbps service.  In practice we don't even need this to facilitate reliable 
connections and speeds with proper shaping techniques.

Our approach wasto do some research on how the games actually behave in practice instead of on paper.  The p2p aspect 
of games is usually a portion of the updater and not the game itself.  The updater will also use a pre-defined port 
range that is manageable, usually not exceeding about 1000 ports and certainly not in the range used by p2p clients 
used for things like downloading music and movies.  However, if you're in a lmited bandwidth setting, p2p activity will 
kill you due to the massive overhead of that many connections being made.

We use a 3-fold approach - the first is your basic firewall using default block rule and being somewhat liberal with 
how we open ports at the request of students.  You'll need to do some research for them to figure out the necessary 
ports, but that's not a big deal.  The 2nd factor is your application filtering - getting your signature detection 
working right so you can see when people are using p2p.  Of course the p2p won't work with a restrictive firewall, but 
the overhead is still there and can lead to congestion.  In our case we block p2p that isn't explicitly allowed by the 
firewall rules.  Then we send the student a scary e-mail telling them to knock it off.  The third step is just very 
basic shaping - as the bandwidth and connection in use goes up, available bandwidth and connections allowed goes down.  
This is quite possibly voodoo and is just taken care of by our gateway and I don't ask it questions.  It does mean that 
p2p updates usually don't work very well because, while the WAN bandwidth isn't really being used, they are using a ton 
of half-open connections.  When the game updater sees the p2p updater isn't working it usually kicks itself over to an 
HTTP download, which isn't really a problem.

For reference - we were not happy with given appliance in terms of benefits to cost and accomplish most of this using a 
cheaper server, Untangle, and some of our own wizardry.  Each type of network, wired and wireless, feeds through their 
own vLANs, their own gateways (as VMs, of course), and out through a commercial ISP to keep costs down and isolate 
their activity from the academic network.

The real problem you're going to have is trying to offer wireless support for game consoles if you try to do anything 
other than PSKs, but that is a discussion for another thread.

-Steven

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hahues, 
Sven
Sent: Thursday, January 17, 2013 11:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Gaming and dorm students

I am late to the party but here's what we do:

We got the charge from our housing administration to make living in housing as close to living at home as possible, so 
we have totally unfiltered Internet, and a dedicated publically routable network for playstations/xboxs to get around 
the NAT complications.

It's great for the students, it's hard for us, because we never have enough bandwidth.  We have recently deployed an 
Exinda traffic shaping device (like 2 weeks ago) but we are still in the process of tuning it.

We have a system that ties in with our NAC that will automatically move p2p users into a quarantine network, and they 
get told they violated our networks acceptable use policy.  This helps us for the most part with the RIAA/MPAA 
complaints.

Depending on the amount of people in your dorms, the sign in sheet may work, or you could allow everything from the 
dorms, and just log who does what.  If you get an RIAA notice, you can suspend the users network access.

Just some ideas.

Sven

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob 
Williamson
Sent: Monday, January 14, 2013 9:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Gaming and dorm students

I am the network admin at a small K-12 private school.  We have about 90 dorm students.



A problem I am running into is enabling the dorm students to be able to use normal games like "World of Wrcraft", 
"League of Legends", etc.  It seems a lot of these games are using bittorrent on the backend.



Without digging into the specifics, how are others handling the dormers requests?  Telling them no does not seem 
appropriate, but not letting them play seems bogus.  I was toying with the idea of having the individuals sign a sheet 
saying they will not use bittorent for illegal purposes.



Any thoughts would be appreciated.



Note that I am using a Palo Alto so can handle filtering by user and app level.



Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org <http://www.aw.org/>
D: 253.272.2216 | F: 253.572.3616 | Bob_Williamson () aw org

Mission: Annie Wright's strong community cultivates individual learners to become well-educated, creative, and 
responsible citizens for a global society.

Find Annie Wright Schools on Facebook <http://www.facebook.com/anniewrightschools>
Follow our Head of Schools on Twitter @AWShead <http://www.twitter.com/awshead>


________________________________

No department at FGCU will EVER ask you for your username and password in person or through e-mail. If you receive an 
e-mail requesting your EagleMail or FGCU email password, DO NOT respond. Delete the e-mail immediately. If you receive 
a questionable e-mail, please contact the Help Desk at 239-590-1188.

________________________________

BUSINESS TECHNOLOGY SERVICES WILL NEVER ASK FOR YOUR PASSWORD. You should never give out your username or password for 
any accounts you have, including bank accounts, credit card accounts, and other personal or University accounts. 
Business Technology Services will never contact you using a return e-mail address that is not @fgcu.edu. If you receive 
a questionable e-mail or an e-mail asking for passwords and logon information, DO NOT RESPOND, and please contact the 
Help Desk at 239-590-1188.