[LARTC] management of virus and p2p-traffic

[LARTC] management of virus and p2p-traffic

[Ralf Staudemeyer]

Hi

I have to manage a network with approx. 200 users, a 256kbit/s unmanaged
Internet connection and a 3Mbit/s unreliable managed Internet connection
(only http/ftp-proxy and ssh available). All users are in one Class C
Subnet with 512 IP-Addresses. 60% of the machines are Windows. The rest
are SUN and Linux. At the moment Windows viruses and p2p-traffic eats
most of our bandwidth. 

My Aims are:
- inform Windows users with a virus problem; limit their traffic to http
over proxy
- allocate different bandwidth to different user groups on port level
(to limit p2p traffic) depending on time (day/night)
- allocate different amounts of traffic to groups and reduce the night
bandwidth of user groups who exceed their daily limit
- prevent that users get access to a different group by simply taking an
IP address from a different group without creating an access control
list with IP/MAC Pairs
- users should be able to monitor the bandwidth usage of their group on
a web page
- the 3Mbit/s uplink should be used whenever possible/available (ssh +
ftp/http proxy)
- preserve privacy of users as far as possible

The idea is to split the network using transparent bridgewalls. This
should manage the traffic on port level for each group using Netfilter
in Bridge Mode and using IPP2P to limit P2P-traffic. Group limitations
should be implemented here. 
A firewall should be installed on the gateway to the Internet. The
firewall should do NAT and have a QoS setup managing and monitoring the
real outgoing traffic. I plan to use the cookbook example 15.10 from the
lartc as a base.

My question is if there are known running solutions out there that would
fit these aims? The Windows machines with their viruses give me a
headache. I do not want to enforce remote Windows patching and
virusscanner updating. It should also be taken into account that there
is nearly no money available for any special equipment. Best would be to
get this job done with a couple of old computers.

Another question is that I want to know if it is advisable to split
traffic filtering and traffic management/monitoring. 

I would appreciate any help.

Regards
Ralf

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] management of virus and p2p-traffic

[Ed Wildgoose]

>The Windows machines with their viruses give me a
>headache. I do not want to enforce remote Windows patching and
>virusscanner updating. It should also be taken into account that there
>is nearly no money available for any special equipment. Best would be to
>get this job done with a couple of old computers.
>  
>

One thing you could address is that most virus's arrive via smtp. Can 
you scan inbound smtp traffic, perhaps with clamav?  Or do users have 
their own external email accounts?

Ed W
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] management of virus and p2p-traffic

[Jason Boxman]

On Monday 21 June 2004 13:36, Ralf Staudemeyer wrote:
> Hi
>
> I have to manage a network with approx. 200 users, a 256kbit/s unmanaged
> Internet connection and a 3Mbit/s unreliable managed Internet connection
> (only http/ftp-proxy and ssh available). All users are in one Class C
> Subnet with 512 IP-Addresses. 60% of the machines are Windows. The rest
> are SUN and Linux. At the moment Windows viruses and p2p-traffic eats
> most of our bandwidth.

Wow.  Subnets are your friend.  Subnet if you can.

<snip>
> My question is if there are known running solutions out there that would
> fit these aims? The Windows machines with their viruses give me a
> headache. I do not want to enforce remote Windows patching and
> virusscanner updating. It should also be taken into account that there
> is nearly no money available for any special equipment. Best would be to
> get this job done with a couple of old computers.

I'd suggest social engineering and suggestion.  See if you can get your users 
to clean up and tone down p2p. :)

> Another question is that I want to know if it is advisable to split
> traffic filtering and traffic management/monitoring.
>
> I would appreciate any help.
>
> Regards
> Ralf
>

-- 

Jason Boxman
Perl Programmer / *NIX Systems Administrator
Shimberg Center for Affordable Housing | University of Florida
http://edseek.com/ - Linux and FOSS stuff

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] management of virus and p2p-traffic

[Ralf Staudemeyer]

On Mon, 2004-06-21 at 17:06, Ed Wildgoose wrote:
> >The Windows machines with their viruses give me a
> >headache. I do not want to enforce remote Windows patching and
> >virusscanner updating. It should also be taken into account that there
> >is nearly no money available for any special equipment. Best would be to
> >get this job done with a couple of old computers.
> >  
> >
> 
> One thing you could address is that most virus's arrive via smtp. Can 
> you scan inbound smtp traffic, perhaps with clamav?  Or do users have 
> their own external email accounts?
>
>
We have a Novel Groupwise service that should be used for email (via the
managed 3Mbit connection). That system supports spam-filtering and
virus-scanning. Unfortunately that service does not support any security
functions and is not reliable. There will be not much change about that.
So I want and I must support users who use their external email
accounts.

Ralf


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] management of virus and p2p-traffic

[Ed Wildgoose]

Ralf Staudemeyer wrote:

>On Mon, 2004-06-21 at 17:06, Ed Wildgoose wrote:
>  
>
>>>The Windows machines with their viruses give me a
>>>headache. I do not want to enforce remote Windows patching and
>>>virusscanner updating. It should also be taken into account that there
>>>is nearly no money available for any special equipment. Best would be to
>>>get this job done with a couple of old computers.
>>> 
>>>
>>>      
>>>
>>One thing you could address is that most virus's arrive via smtp. Can 
>>you scan inbound smtp traffic, perhaps with clamav?  Or do users have 
>>their own external email accounts?
>>
>>
>>    
>>
>We have a Novel Groupwise service that should be used for email (via the
>managed 3Mbit connection). That system supports spam-filtering and
>virus-scanning. Unfortunately that service does not support any security
>functions and is not reliable. There will be not much change about that.
>So I want and I must support users who use their external email
>accounts.
>  
>

A quick search on google suggests that you can get a POP3 transparent 
proxy which will do virus scanning.  This is also used and maintained by 
Astaro Linux firewall.
See http://p3scan.sourceforge.net/

Perhaps you could look at something like Astaro with a bridging firewall 
to get the bulk of your requirements sorted (or just roll your own 
(Shorewall?) if you are happy with iptables)

Second problem is splitting traffic between your two internet 
connections.  This is very possible, read the LARTC faq for basic 
details and then come back here with specific questions

The other stuff is easily possible, but for the number of users that you 
have you are going to need to invest some time to write some scripts to 
handle mapping users to MAC addresses and make the whole thing 
maintainable.  There was another post only hours ago from at least one 
other person who you might contact to see if they will share some stuff.

P2P is pretty easy to control.  Try kernel patches for "ippp" or 
"l7-filter" (both on sf.net I think).  This lets you simply filter 
traffic using iptables.

You mentioned time based rules.  I think there are patches to iptables 
to handle this.  Alternatively you could have two scripts which run from 
cron to switch rules.  A further, and perhaps easier possibility, is to 
use the QOS rules to prioritise everything else and simply leave 
unwanted traffic in the "left over" bucket.  This will mean that P2P 
users cannot affect your normal traffic, but if the link is idle at any 
time of day or night then they can use up to the max amount, but only if 
it's idle.  This is perhaps good enough and easier to configure.

You need to have read the LARTC faq, and browsed the iptables docs or 
you will find this quite advanced.  I suggest that you break the problem 
up into parts.

If you aren't completely technical, or pushed for time then you might 
want to consider hiring someone, or looking at a prebuilt solution.  
Your requirements are all possible though.

Ed W



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] management of virus and p2p-traffic

[Ralf Staudemeyer]

On Tue, 2004-06-22 at 07:20, Ed Wildgoose wrote:

> The other stuff is easily possible, but for the number of users that you 
> have you are going to need to invest some time to write some scripts to 
> handle mapping users to MAC addresses and make the whole thing 
> maintainable.  There was another post only hours ago from at least one 
> other person who you might contact to see if they will share some stuff.
>
I wanted to avoid to do that MAC/IP-mapping. Some users have notebooks,
some will change their working place and some will buy new hardware they
want to connect to the network. This is not maintainable. Also I really
do not want to know want the users do with their bandwidth. I just want
to assure that things go fair and everyone can work with the network. 

Thx for all the help!!!
Ralf

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] management of virus and p2p-traffic

[Ed Wildgoose]

Ralf Staudemeyer wrote:

>On Tue, 2004-06-22 at 07:20, Ed Wildgoose wrote:
>
>  
>
>>The other stuff is easily possible, but for the number of users that you 
>>have you are going to need to invest some time to write some scripts to 
>>handle mapping users to MAC addresses and make the whole thing 
>>maintainable.  There was another post only hours ago from at least one 
>>other person who you might contact to see if they will share some stuff.
>>
>>    
>>
>I wanted to avoid to do that MAC/IP-mapping. Some users have notebooks,
>some will change their working place and some will buy new hardware they
>want to connect to the network. This is not maintainable. Also I really
>do not want to know want the users do with their bandwidth. I just want
>to assure that things go fair and everyone can work with the network. 
>  
>

Well, in that case your problem gets easy really easy.  Just pick up one 
of the prioritisation scripts - I like this one:

http://www.digriz.org.uk/jdg-qos-script/

Then read the LARTC doc so you know what it's doing.  At that should be you up and running.

What you will be doing is just classifying traffic based on it's type and ignoring the source, etc completely.


Ed W


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] management of virus and p2p-traffic

[Ralf Staudemeyer]

On Tue, 2004-06-22 at 12:01, Ed Wildgoose wrote:
> Ralf Staudemeyer wrote:
> 
> >On Tue, 2004-06-22 at 07:20, Ed Wildgoose wrote:
> >
> >  
> >
> >>The other stuff is easily possible, but for the number of users that you 
> >>have you are going to need to invest some time to write some scripts to 
> >>handle mapping users to MAC addresses and make the whole thing 
> >>maintainable.  There was another post only hours ago from at least one 
> >>other person who you might contact to see if they will share some stuff.
> >>
> >>    
> >>
> >I wanted to avoid to do that MAC/IP-mapping. Some users have notebooks,
> >some will change their working place and some will buy new hardware they
> >want to connect to the network. This is not maintainable. Also I really
> >do not want to know want the users do with their bandwidth. I just want
> >to assure that things go fair and everyone can work with the network. 
> >  
> >
> 
> Well, in that case your problem gets easy really easy.  Just pick up one 
> of the prioritisation scripts - I like this one:
> 
> http://www.digriz.org.uk/jdg-qos-script/
> 
> Then read the LARTC doc so you know what it's doing.  At that should be you up and running.
> 
> What you will be doing is just classifying traffic based on it's type and ignoring the source, etc completely.
> 
It is not such easy since there is still the prioritisation problem.
There are user groups who should not use p2p-traffic (public accessible
machines for only surfing and email), some need some extra bandwidth
(mirrors, powerusers), some need low latency for their Voice-over-IP or
videoconferencing ... things like that. It is quite easy to group them
to five groups.

But I do not know how I should make sure that someone reconfigures the
IP of a public accessible machine to get some extra rights. I thought to
filter this with some transparent bridgewalls. But this makes it
impossible to move with a machine of a higher prioritisation a subnet of
lower prioritisation. The bridgewall will, and should, discard the
packages. Even if I would start collecting MAC addresses it would be
still quite easy to sniff the MAC/IP pair (isn´t it?).

The script looks very promising. 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/