Higher Education

We use a Palo Alto Firewall and have torrenting blocked using the application group provided by Palo Alto, but I'm noticing in my traffic that there is a growing number of VPN traffic that looks suspiciously like Peer-to-Peer based on the amount of data going to the destination. 

 

We found a few such as btguard that we just block their website. 

 

To be honest I just want to know how granular you get to stay in compliance with the Higher Education Opportunity Act. 

If the students are using VPNs to tunnel their torrent traffic, there's not
much you can do other than attempt to block the VPN endpoint which changes
on a regular basis.

I don't think you would be held liable under HEOA for this.

The answer is user education and finding ways to offer services so they
don't feel the need to torrent.

We've been seeing this type of torrent VPN for about a year now. Just my
$0.02

That's the thing. We would obviously like to leave VPN open as an option for our students for other reasons. But obviously the amount of traffic is a potential issue for us. It might be worth looking at throttling user speed after X amount of traffic in a Day/week or something similar. 

 

This topic comes from seeing about 300 GB of traffic over the weekend between a few students. 

In the Palo, can you rate limit by destination country? Most of these VPN
sessions terminate in Canada and Europe. Maybe you could throttle VPN
connections by students destined for outside the country?

Another thought I just had. Could we potentially use Clearpass OnGuard to check for a running service/application? I don't necessarily care that they have it on their computer. I just don't want it runnning on my network. 

 

I suppose the Agent is required to check though?

We had a problem with students using torrents on our school wireless network. We actually recieved notification that someone was pirating movies from our wireless network. I discovered then that we couldn't block torrents due to its rotating random ports.

 

After a little research I found out that most (not all) torrent programs reach out and touch on a set of default ports first before they started to rotate to other random ports. Said ports are tcp 6881-6889. So I created a policy that blocked those ports and then black listed the device.

 

It wasn't a perfect solution and I did "catch" a few legit users but for the most part it did the trick as black listed users had to come to IT services department to get taken off the list.

 

(this was from my post on this from 2012, still relevant though)

I did see you post. Luckily for us, Palo Alto does a good job at stopping Torrent applications on it's own. However, using a VPN allows users to connect through standard ports as a VPN and then the distant device is obviously not in our network to control. 

 

We just want to make sure we are in line with what other Higher Ed's are doing. We don't want to be liable for any potentially Illegal activities on our Network. 

ereader22,

 

You can indeed use OnGuard to police torrent applications with the persistent agents.

 

We use a Packet-shaper and rate-limit peer-to-peer to 0.5KBPS.  We also use a trustwave content-filter that updates every night and blocks peer-to-peer traffic.  The user can submit a ticket from the block page which gives us a chance to review the site and see if it is legitmate or not.  To my knowledge we have never gotten a ligitimate site blocked for peer-to-peer.

I would use snort with splunk if I want to do custom rules for the users that are doing torrent traffic and if you only want to block them you could use only snort.