Main Nav

Looking at the current discussion on DMCA notices, I was wondering how those of you using NAT handle associating a DMCA notice with a particular client system. This continues to be a challenge for us. Kevin
AttachmentSize
kevin_halgren.vcf324 bytes

Comments

Kevin, The way that I handle the DMCA and NAT issue is that I run syslog of my border firewall in a somewhat "INSANE" level. Match Outside address to inside address - Take the inside address and match via NAC system and DHCP logs to client machine. Then I send notice to student/StudentLife Office and suspend network access. Dave David Bulanda Network Services Manager dgbulanda@indianatech.edu Indiana Tech
We had a very large number of DMCA/RIAA notices a few years back at the end of a Spring semester. The decision was made to make a best effort attempt to block P2P traffic and we have gone years without a DMCA notice from the RIAA. We decided that the abuse of P2P traffic at our university far out weighed the good uses. ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Bulanda, Dave G [DGBulanda@INDIANATECH.EDU] Sent: Tuesday, November 29, 2011 11:43 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] DMCA and NAT Kevin, The way that I handle the DMCA and NAT issue is that I run syslog of my border firewall in a somewhat "INSANE" level. Match Outside address to inside address - Take the inside address and match via NAC system and DHCP logs to client machine. Then I send notice to student/StudentLife Office and suspend network access. Dave David Bulanda Network Services Manager dgbulanda@indianatech.edu Indiana Tech
Message from john.ladwig@so.mnscu.edu

Second the comment re: "insane" level of campus-border firewall logging necessary to respond to lawful requests. We're over 100GB/day across our 60ish campuses. Cisco's ASAs won't log NAT bind - setups and teardowns - unless you go to "debug" level. We do have a few of noisy+useless message IDs which we don't send as well. Dunno how much volume that saves us, though. -jml
We are not blocking P2P, but I am throttling it way back. I used to get ~2 notices a day from the RIAA/MPAA, but those stopped about 6-7 months ago. I don't think it's because of my rate-shaping though. Maybe I'm just doing a better job sending their emails to the junk folder? I have told my ISP and the RIAA and the MPAA that, if they give me more information (e.g the address of the system that located the offending computer on-campus), that I will gladly track down the offender and shut them down .. (insert cricket noise here). I don't have the manpower to pour through logs. Having said that, we are going to implement a 1:1 NAT pool in the next few weeks. I'll then know who had a specific public address at any given time. -Brian
We are blocking P2P as best as we can with our UTM firewall and opening it up for special requests. I get about 1 request per year. So far every distro that uses P2P also does has a unicast option. It is just slower but it works. We get very few RIAA complaints (1-2 per year). So far they have only been warnings. When we do get them it just says the source address time and port. I do not believe that is not enough information to prove guilt. I really need source and destination. With the differences in system time I cannot say for sure that an individual downloaded or uploaded content with just source and port number. Those of you who are using your logs to do this do you feel comfortable accusing someone without having all of the info? Is it not possible that more than one machine could be using the same port at the same time, one legal and one illegal? Accusing one of our "customers" of stealing and putting them through the legal consequences is a serious thing. I'm not willing to do that without time, source IP, destination IP, source port, destination port. Even then how do I know someone has not spoofed a MAC address and posed as someone else on the network? We use a MAC auth NAC to identify individuals. Anyone who know anything about networking could use Wireshark to grab a MAC address from a broadcast packet. Later they could spoof their MAC to make themselves look like someone else. The only way I can think of to absolutely prove an individual's guilt would be to force them to use 802.1x. I've seen that horror movie. John Kaftan IT Infrastructure Manager Utica College 315.792.3102
Having gone through this exact sort of thing at both a higher ed institution *and* a fed R&D lab - you are exactly right. Even having source and destination usually isn't enough.....you pretty much have to catch someone with "hands on the keyboard" to satisfy any kind of legal test. Can you satisfy an "internal policy"?.....that depends on how well you write the policy, and how far someone is willing to stretch/enforce that policy. What about the defense claim of a "compromised account"?, (whether real or contrived?).....or the "accidental click"?......or "my computer had malware, but I cleaned it up now"? I've heard all of these - and seen them both succeed and fail as "defense"..... Tough nut to crack..... M
We validate every claim using Netflow data .. we look for the flows from the address on the port, then use the time of the flows to find the MAC address - we also get the person to validate the claim (authenticate using ID) Joel --On Wednesday, November 30, 2011 7:42 AM -0700 "SCHALIP, MICHAEL" wrote: > Having gone through this exact sort of thing at both a higher ed institution *and* a fed R&D lab - you are exactly right. Even having source and destination > usually isn't enough.....you pretty much have to catch someone with "hands on the keyboard" to satisfy any kind of legal test. Can you satisfy an "internal > policy"?.....that depends on how well you write the policy, and how far someone is willing to stretch/enforce that policy. What about the defense claim of a > "compromised account"?, (whether real or contrived?).....or the "accidental click"?......or "my computer had malware, but I cleaned it up now"? I've heard > all of these - and seen them both succeed and fail as "defense"..... > > Tough nut to crack..... > > M > >
Kevin,

We generate copious NAT logs off our firewall (Cisco ASA) and compress the crap out of them nightly. Doable.

When we get a takedown notice we decompress the log for the day in question and and grep the IP/port combo. By and large, the time is right on target (well within a minute). That log file entry goes in the evidence pile.[The only requests We've had trouble with are ARES requests from RIAA. I've repeatedly offered to work with them to figure out why they're broken. Crickets.]

We look at our NAC (Impulse) records to see who owned the internal address at that time. We grab a pretty screenshot and add it to the evidence pile.

If the address is from an internal wireless (Meraki) pool we look for layer 7 evidence of P2P use. If we see any we grab a pretty screenshot and add it to the evidence pile.

If the identified machine is currently on the network we'll look for live evidence of P2P traffic on our bandwidth shaper (Procera).  If we see any we grab a pretty screenshot and add it to the evidence pile.

Once the evidence is compiled we forward the takedown notice and evidence to the student. In our cover letter we are charitable and suggest that, perhaps, they don't realize that they are sharing the file and ask them to disable access to the file. We offer to further explain, to assist in disabling access, and to accept that they actually have copyright holder's permission to share the file. We ask them to help the college maintain its online reputation.

           
Rand
 
Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532



Has anyone gone as far as trying to calculate the “cost per incident” of having to respond to something like this?  While it’s almost always *possible* to track something like this down to a 95% certainty, (given enough time and FTE funding to HAVE someone do this!?)……what is it costing our institutions to respond to these kinds of things??  Even if it only takes 1-2 hours to come up with this 95% certainty – what is that 1-2 hours costing us over the course of a year?  Surely someone has already calculated this….??

 

M

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of hall, rand
Sent: Wednesday, November 30, 2011 8:10 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] DMCA and NAT

 

Kevin,

 

We generate copious NAT logs off our firewall (Cisco ASA) and compress the crap out of them nightly. Doable.

 

When we get a takedown notice we decompress the log for the day in question and and grep the IP/port combo. By and large, the time is right on target (well within a minute). That log file entry goes in the evidence pile.[The only requests We've had trouble with are ARES requests from RIAA. I've repeatedly offered to work with them to figure out why they're broken. Crickets.]

 

We look at our NAC (Impulse) records to see who owned the internal address at that time. We grab a pretty screenshot and add it to the evidence pile.

 

If the address is from an internal wireless (Meraki) pool we look for layer 7 evidence of P2P use. If we see any we grab a pretty screenshot and add it to the evidence pile.

 

If the identified machine is currently on the network we'll look for live evidence of P2P traffic on our bandwidth shaper (Procera).  If we see any we grab a pretty screenshot and add it to the evidence pile.

 

Once the evidence is compiled we forward the takedown notice and evidence to the student. In our cover letter we are charitable and suggest that, perhaps, they don't realize that they are sharing the file and ask them to disable access to the file. We offer to further explain, to assist in disabling access, and to accept that they actually have copyright holder's permission to share the file. We ask them to help the college maintain its online reputation.

 

           

Rand

 

Rand P. Hall

Director, Network Services                 askIT!

Merrimack College

978-837-3532



Michael:

Here is an article from our student paper, I would not take it as gospel, but it is probably a good estimate.

Also, our students are not undergoing NAT.

Sincerely,

Alex Everett
University of North Carolina

On Nov 30, 2011, at 10:39 AM, SCHALIP, MICHAEL wrote:

Has anyone gone as far as trying to calculate the “cost per incident” of having to respond to something like this?  While it’s almost always *possible* to track something like this down to a 95% certainty, (given enough time and FTE funding to HAVE someone do this!?)……what is it costing our institutions to respond to these kinds of things??  Even if it only takes 1-2 hours to come up with this 95% certainty – what is that 1-2 hours costing us over the course of a year?  Surely someone has already calculated this….??
 
M
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of hall, rand
Sent: Wednesday, November 30, 2011 8:10 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] DMCA and NAT
 
Kevin,
 
We generate copious NAT logs off our firewall (Cisco ASA) and compress the crap out of them nightly. Doable.
 
When we get a takedown notice we decompress the log for the day in question and and grep the IP/port combo. By and large, the time is right on target (well within a minute). That log file entry goes in the evidence pile.[The only requests We've had trouble with are ARES requests from RIAA. I've repeatedly offered to work with them to figure out why they're broken. Crickets.]
 
We look at our NAC (Impulse) records to see who owned the internal address at that time. We grab a pretty screenshot and add it to the evidence pile.
 
If the address is from an internal wireless (Meraki) pool we look for layer 7 evidence of P2P use. If we see any we grab a pretty screenshot and add it to the evidence pile.
 
If the identified machine is currently on the network we'll look for live evidence of P2P traffic on our bandwidth shaper (Procera).  If we see any we grab a pretty screenshot and add it to the evidence pile.
 
Once the evidence is compiled we forward the takedown notice and evidence to the student. In our cover letter we are charitable and suggest that, perhaps, they don't realize that they are sharing the file and ask them to disable access to the file. We offer to further explain, to assist in disabling access, and to accept that they actually have copyright holder's permission to share the file. We ask them to help the college maintain its online reputation.
 
           
Rand
 
Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532



It only takes us about 10 minutes to process a takedown request. We get a couple per week--which is mostly our own fault because our education program is minimal.

I would imagine that processing time is largely related to your infrastructure and available tools.

Rand

And that 10 minutes could be reduced to 1-2 if the complaints contained the needed information.  If the RIAA/MPAA want our assistance, they should give us the information we need.  This is why SOPA is so dangerous.  The RIAA/MPAA will have no responsibility in protecting their “own” IP… including incurring none of the enforcement costs.

 

All in all, I believe higher ed wants to act responsibly, but the more the (recording/movie) industry pushes, the more I want to push back (anyone else have that StarWars Death Star scene and the line “the more you tighten your grip, the more they slip through your fingers” stuck in your head now?  Ok, me neither.  Never seen it.).

 

/soapbox.

 

-Brian

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of hall, rand
Sent: Wednesday, November 30, 2011 11:22 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] DMCA and NAT

 

It only takes us about 10 minutes to process a takedown request. We get a couple per week--which is mostly our own fault because our education program is minimal.

 

I would imagine that processing time is largely related to your infrastructure and available tools.

 

Rand

On Wed, 2011-11-30 at 07:42 -0700, SCHALIP, MICHAEL wrote: > Having gone through this exact sort of thing at both a higher ed institution *and* a fed R&D lab - you are exactly right. Even having source and destination usually isn't enough.....you pretty much have to catch someone with "hands on the keyboard" to satisfy any kind of legal test. Can you satisfy an "internal policy"?.....that depends on how well you write the policy, and how far someone is willing to stretch/enforce that policy. What about the defense claim of a "compromised account"?, (whether real or contrived?).....or the "accidental click"?......or "my computer had malware, but I cleaned it up now"? I've heard all of these - and seen them both succeed and fail as "defense"..... > > Tough nut to crack..... I disagree. Processing of a DMCA notice isn't (at least here it isn't) a matter of civil, much less criminal, prosecution. The part of interest to us, and I would expect most institutions, is the safe harbor provision. To maintain that we must remove access to allegedly infringing material on receipt of a valid* complaint. I validate a complaint by noting netflow activity for the IP and port listed at the indicated time, and just looking at the flows it is trivial to tell if they were running gnutella or bit torrent. We haven't gotten an erroneous complaint in a long time. The point is that the student isn't being accused of copyright infringement. What happened was the university received a notice that, when properly filed, requires us to block/prevent/remove the allegedly infringing work. That we do more than that is a matter of policy arrived at by input from IT, Student Judicial Affairs and the student council. And *that* policy is again contingent only on receipt of a validated DMCA notice, not on proof that the allegedly infringing work was in fact the work in question, nor on proving that the student was deliberately and intentionally sharing it. Looking at receipt of a DMCA notice as accusation of copyright infringement and treating it like a prosecution is, in my opinion, an entirely wrong tact to take. * okay, validity of the complaint is a longer topic, but one thing I'd like to point out is that they only have to claim the listed work was the one being provided. The DMCA itself does not require that this claim be true. I have a serious issue with this and that provision was used to force us to pull (for a period of time) material that was created and posted by the copyright holder (one of our faculty). The pulling was per general counsel, but was entirely consistent with my understanding of the DMCA. Tim Doty > > M > >
Message from maszeroskia3@scranton.edu

We wrote an in-house system to correlate NAC, dhcp, and NAT translation logs. We use it for any instance where we need to take a timestamp and one of: internal_ip, external_ip, or mac_address and trace it back to a user.
Message from kay.avila@uni.edu

> Cisco's ASAs won't log NAT bind - setups and teardowns - unless you > go to "debug" level. As for the logging on the ASA, you can do that without turning on debug. You can adjust the level of individual log entries on the ASAs so you don't have to enable all debugging to see NAT setup/teardown. So if you find the log ids for the NAT setups and teardowns (see [1]), you can change the severity level of the message - logging message level [1] http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsg... Kay Avila -- Kay Avila Network Engineer, ITS-Network Services 15 Curris Business Building, Cedar Falls, IA 50614-0121 kay.avila@uni.edu Phone: 319-273-5924 Fax: 319-273-7373 On 11/29/2011 2:20 PM, John Ladwig wrote: > Second the comment re: "insane" level of campus-border firewall logging necessary to respond to lawful requests. We're over 100GB/day across our 60ish campuses. > > Cisco's ASAs won't log NAT bind - setups and teardowns - unless you go to "debug" level. We do have a few of noisy+useless message IDs which we don't send as well. Dunno how much volume that saves us, though. > > -jml > >
Message from john.ladwig@so.mnscu.edu

Thanks for the headsup. I was just about to review our ASA message-logging setup. -jml --- original message --- From: "Kay Avila" Subject: Re: [SECURITY] DMCA and NAT Date: December 1, 2011 Time: 9:39:43 > Cisco's ASAs won't log NAT bind - setups and teardowns - unless you > go to "debug" level. As for the logging on the ASA, you can do that without turning on debug. You can adjust the level of individual log entries on the ASAs so you don't have to enable all debugging to see NAT setup/teardown. So if you find the log ids for the NAT setups and teardowns (see [1]), you can change the severity level of the message - logging message level [1] http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsg... Kay Avila -- Kay Avila Network Engineer, ITS-Network Services 15 Curris Business Building, Cedar Falls, IA 50614-0121 kay.avila@uni.edu Phone: 319-273-5924 Fax: 319-273-7373 On 11/29/2011 2:20 PM, John Ladwig wrote: > Second the comment re: "insane" level of campus-border firewall logging necessary to respond to lawful requests. We're over 100GB/day across our 60ish campuses. > > Cisco's ASAs won't log NAT bind - setups and teardowns - unless you go to "debug" level. We do have a few of noisy+useless message IDs which we don't send as well. Dunno how much volume that saves us, though. > > -jml > >
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.