Main Nav

Message from j.wang@its.utexas.edu

We are using the A10 AX3530 platform to do NAT for our wireless network. We use fixed NAT to avoid having to track by individual connections/sessions. It's just a static mapping of internal address to external address + port range. Then it's just a matter of tracking the internal addresses to user, which has a much lower turnover rate. Given our number of users and traffic rates (and a good sized contiguous pool of external addresses we were able to re-purpose), this seemed like the best option for us. Jason On 10/02/2013 02:25 PM, Todd M. Hall wrote: > We have a similar configuration for our wireless and took a different > approach. We developed our own tools to store the data in a database > and have a simple php query page for searching (it also queries our dhcp > data to narrow it down to a mac address). If you have questions you can > contact me off list. > > On Wed, 2 Oct 2013, Baily,Scott wrote: > >> Date: Wed, 02 Oct 2013 17:33:32 +0000 >> From: "Baily,Scott" >> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv >> >> To: WIRELESS-LAN@listserv.educause.edu >> Subject: [WIRELESS-LAN] Wireless NAT & Tools for tracking DMCA reports >> >> Greetings, >> >> We have a large wireless network that uses private IP addresses, and >> wireless VLANs are currently homed on a Cisco 6500. Off-site traffic >> is NAT'd by a Cisco ASA5525X with a public IP pool of 128 addresses. >> Log files (generated via "informational" logging level) show public >> IP/port. These ports are re-used every few seconds, however, making it >> very difficult (nearly impossible at times) to map a DMCA report to a >> specific private IP address, and ultimately an individual user. >> >> Has anyone developed tools to automate this particularly onerous >> task? Other approaches that are working on your campus that we should >> consider? >> >> Many thanks in advance, >> >> Scott >> >> ------------------------------------------------ >> Scott Baily >> Director >> Academic Computing & Networking Services >> Colorado State University >> Ft. Collins, CO. 80523-1018 >> Phone: (970) 491-7655 <> FAX: (970) 491-1958 >> ------------------------------------------------ >> >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
AttachmentSize
smime.p7s3.78 KB

Comments

I agree, ever since we blocked P2P we get 1-5 DMCA reports a year.  You may be able to extend the PAT timeout so the ports are not reused so quickly.

 

Joshua Gonzalez, CCNA, Network+

Manager of Network Services

Texas A&M Corpus Christi

361-825-2576

 

 

 

 

We block all P2P and have no problems with DMCA.


Message from mark.duling@biola.edu

Ditto on blocking DCMA.  We're using ASA-CX module to do it and it seems to do the job well.  I'm curious as to what other devices/methods y'all are using that have been effective in blocking bittorrent.


 

  We have 17k+ concurrent wireless clients and 100% are private IPs.  We then NAT at the firewall.  We also purposefully block peer to peer with fairly good success.  But, when we get an infringement notice or virus report or a subpoena for information we have had a challenge.  We only get one – three per month, so the volume is very low.

 

  We figure we are legally obligated to be able to identify every person on our network due to the Higher Ed Opportunity Act (HEOA).  It’s a financial aid law, but there are a few paragraphs in there that say we need to identify everyone.  We have no open guest wireless partly because of it (open wireless to onboarding guests via sending them a password via SMS text message and then all users switch to WPA2 enterprise offering).

 

  Regarding DMCA stuff, our strategy has been to use netflow.  We netflow from our internet routers (now 1:1 sample and they see the public addresses), from the firewalls (1:100 sample and should see public and private conversations), and from our core routers inside the firewall (1:100 sample should see private IP).

 

  We often just get a timestamp and our public IP and port.  We attempt to map that to a destination and then search netflow for that destination and timestamp.  We are missing a small percentage of these and are struggling to close that gap.  Some folks have suspected our 1:100 sample rate is causing us to miss data, but I can’t push it down to 1:1 on all the gear.  It’s always the inside that we miss so it’s possible its true.

 

  Adam

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Not to diverge from the immediate topic too much, but for the people who block P2P, do you not get complaints from people trying to download linux distros?  Also, blocking P2P doesn’t necessarily stop the identification of the DMCA infractions, in which case you’d still have to track the offender down.  I am blocking outgoing P2P so our students (presumably, but who knows) can’t re-serve files, but somehow the initial identifications are still being made.  I haven’t spent the time to research this.

 

With regard to the immediate topic, we too are using a Cisco ASA to NAT our student population.  We are using a 1:1 NAT until the pool of public addresses is depreciated, and then it starts doubling down on the public addresses.

 

-Brian

 

We have a whitelist setup for researchers and IT folks that need to download Linux files. 

 

 

Joshua Gonzalez, CCNA, Network+

Manager of Network Services

Texas A&M Corpus Christi

361-825-2576

 

 

 

 

 

 

Message from toivo@usf.edu

For those institutions that are blocking P2P – do you have resident students/staff/faculty, and how are they taking it? There seem to be are a fair bit of applications that use P2P protocols, such as Blizzard’s update service, and I just ran into ASUS distributing driver downloads that way (as an alternative option to direct download). What other, if any, restrictions do you place on residential Internet use?

 

--

Toivo Voll

Network Engineer

Information Technology Communications

University of South Florida

 

We don’t have issues. For every legitimate software that claims to need P2P there appears to be an alternative that is quite workable. (How long does it take to download a driver?) Having said that though, about a year ago we moved our packet shapers off the Internet edge due to some outages they caused, closer to the students. This also helped address capacity issues on the shapers. The result is that we now only block it for networks that the students primarily use. Staff and faculty wired is not currently blocked. This has not been a problem as they don’t seem to do illegal downloads. And if they do it, is much easier to address. The other advantage having it just in front of student networks is that it eliminates traffic load and false positives to and from our server networks.  

 

Pete Morrissey

Director of Networking

Syracuse University

 

 

Here at Olin College.

 

We have bittorrent blocked via the application on our Palo Alto firewalls. So it is just the P2P application “bittorrent”.

We also use a Procera for bandwidth management and do not have an issue with games that use the tech as they are defined differently in both applications appliances.

So far so good, had a couple of students ask about it but once informed to the why (DMCA & RIAA) complaints. Have not heard much more over it in the years time since we blocked bittorrent out right.

 

Student resident halls get to use 40% of the overall bandwidth for residential wired connections.

Wireless is also restricted but only for high bandwidth applications like steam downloads. Not unusable but enough to get the job done without killing wireless for the entire community.

 

 

Michael Horne

Network Engineer

Olin College of Engineering

1000 Olin Way, Milas Hall, Suite LL18

Needham, MA 02492

1-781-292-2438

 

 

 

 

 

 

On Oct 7, 2013, at 08:18 , Brian Helman wrote: > > I am blocking outgoing P2P so our students (presumably, but who knows) can’t re-serve files, but somehow the initial identifications are still being made. I haven’t spent the time to research this. > This is likely because the DMCA enforcement agents are often just looking for the IPs of clients that are joining the swarm, not necessarily ones that are actually serving up content. At least that's how things used to be back when I dealt more with security incidents. -- Julian Y. Koh Acting Associate Director, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: PGP Public Key: ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from jcoehoorn@york.edu

We shape bittorrent connections, rather than outright block them. More than that, we shape the entire connection for the internal IP behind the traffic using a "penalty box" approach. All connections with bittorrent traffic are sent to a common pool that caps combined use to at most 6% of our total bandwidth. The 6% number was arrived at via trial and error, and it needs to be adjusted from time to time. The result is that the internet works for torrent users... but... it's... very... slow... The goal is to be similar to an old dial-up connection. Ninety minutes later, the block expires and things are fine for that connection again. If you have something that you *really* need (or more often, want), and the only way to get it is via torrent, you can do that... but there's a cost. 

Needless to say, this is coupled with an informational campaign for new students when they arrive, and reminders at the beginning of each term, and additional reminders when users begin frequently showing up in the logs for the feature. I've found this is *more* effective than an outright torrent block.


Joel Coehoorn
Director of Information Technology
York College, Nebraska
402.363.5603
jcoehoorn@york.edu

 

The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society



Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.