[unisog] risks of a mixed network

Craig Kleen ckleen at csulb.edu
Tue Oct 24 15:33:43 GMT 2006

We had a similar problem when we were still using PacketShaper.  Our 
ruleset was immensely complex, and while we left a lot of bandwidth 
available for the gamers, they continued to complain, and "threatened" to 
do the same thing, wanting their own DSL or cable modem.

As it turned out, the root of their complaints was the added latency 
produced by the complex PacketShaper rules and the low bandwidth we 
provided the "Default" class for when the PacketShaper refused or was 
unable to classify something.  We ended up having to change our Policy to 
completely block P2P, which we found to be better accomplished by our IPS 
system over PacketShaper anyway.  Haven't had a gamer complaint in over 2 
years with that policy, and only 2 P2P "complaints" which were more "why 
does X program not work" rather than a true complaint.

Craig Kleen
Assistant Director, Network Services
Information Technology Services
California State University, Long Beach
1250 Bellflower Blvd, Long Beach, CA 90840-0101
(562) 985-8706

Josh Fiske <jfiske at clarkson.edu> 
Sent by: unisog-bounces at lists.dshield.org
10/24/2006 05:27 AM
Please respond to
UNIversity Security Operations Group <unisog at lists.dshield.org>

UNIversity Security Operations Group <unisog at lists.dshield.org>

[unisog] risks of a mixed network

Hi all, 

I'm eager to get some input from other network/security folks...to make 
sure I haven't missed anything on this one. 

At our site, we have residence halls for which we provide network 
connectivity.  We have a PacketShaper which does P2P restriction and 
bandwidth limiting.  Some students (particularly our gamers) are 
interested in purchasing cable-modem service in their dorm room so that 
they can play their games at a higher speed.  I'd love to be able to 
provide these students with a solution that fits their needs (or wants), 
but I need to balance that with any potential risks. 

In my mind, the main concern with this scenario is the risk of bridging 
our site's network with the cable-modem provider.  Currently we have in 
place Cisco switches with DHCP snooping enabled (so that DHCP responses 
can only come from trusted ports), so I'm not too worried about a 
backwards router providing address to the dorm's VLAN.  Obviously the 
cable-modem would provide another entry point to the campus network (if a 
machine were dual-homed or if bridging did occur), however at present our 
ResNet doesn't have a firewall.  So, while the lack of a firewall is a 
concern, the cable-modems would not introduct additional risk when 
compared to the current situation.   

So, these are the things that I am thinking about.  What else would you 
recommend considering?  Have I missed anything blatant? 

Thanks for your feedback, 

-- Josh
- - - - -
Joshua Fiske, Network and Security Engineer
Clarkson University, Office of Information Technology
(315) 268-6722 -- Fax: (315) 268-6570
jfiske at clarkson.edu

CONFIDENTIALITY:  This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information, and unauthorized 
disclosure or use is prohibited.  If you received this e-mail in error, 
please notify the sender and delete this e-mail from your system.
unisog mailing list
unisog at lists.dshield.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20061024/c5684e70/attachment.htm 

More information about the unisog mailing list