Legal threats due to wifi user's Bittorrent activity

mstrz · ‎01-03-2011

We have been recieved some legal threats (I know they are BS but my company is worried about the ISP cutting us off) because a couple users on our public wifi network have been using our network to download Bittorrent movies.

I researched P2P blocking on Cisco equipment but all I found was port blocking, which doesn't work because modern Bittorrent clients use random ports. The only other way is a "deep packet inspection" (AIP-SSM) module for our ASA but that's way overkill.

Currently all I can do is block MAC addresses that use too much bandwidth, but that's just a cat-and-mouse game. Here are some other options I was considering:

Bandwidth cap- not speed, but data cap. If I could cap monthly data to like 500 MB, that would eliminate most Bittorrent problems, because movies are usually 1 gig+. I don't think QoS can do this, though.
Hotspot system- some kind of managed hotspot system that requires users to login... but I can't find anything like this that doesn't have a payment system (our wifi is free).
Enabling WPA2, and putting the password in the SSID (good idea for public wifi anyway). Not sure how this would help but maybe I will be able to have better control over the users if they have to be encrypted?
Requiring users to create usernames and passwords and tie in with email. No clue how I would do this... Active Directory?
Since we are a local government, the alternative is simply shutting off the public wifi permanently. I want to avoid this at all costs, I spent years on our public wifi network

Any ideas?

Nicolas Darchis · ‎01-04-2011

Hi,

I'll comment my 2 cents on this.

1. You would need your download limit to be unrelated to a single wifi association. You want this stateful across a month, so you need to tie it to the authentication phase. Each username has a quota. This is to be looked at from a radius perspective. Users will be denied further authentication after they break their quota.

2. If you want a form of authentication, go with web authentication. If you have a Wireless Controller, this is an easy feature. Users are redirected to an internal web portal and they either are allowed and have to enter their email address (just for tracking purpose) or a username and password.

3.WPA2 will not allow any further form of control on download.

4. WLC provides the web portal for web authentication but if you look for very user-friendly feature, I would advise looking at the NAC Guest Server that allows people to create accounts for themselves.

The major problems behind this :

- You add a layer of complexity if you authenticate people. If they all use the same key or password, then you can't differentiate them for a quota perspective.
If they have to create their account, it will be more complex for them.

-If a radius server blocks access after quota is reached, it's only the next authentication that is forbidden, client stays connected until it's session timeout on the wireless.

-If you allow users to create account for themselves, they will anyway be able to create a new account once they're blocked right ?

So it's a though one you're asking.

Nicolas

===

don't forget to rate answers that you find useful

mstrz · ‎01-04-2011

Thanks for the feedback.

The main problem I am having is that I can't find any related settings. The only QoS features I can see in the WLC 4400 are for bandwidth shaping. I also looked at the ASA 5510's QoS, but it also looks like basic traffic shaping. I don't see anything relating to actual data "quotas" (yet even the most basic FTP server has it). I also looked at NBAR/NetFlow, but that just spits out data for reporting.

As for forcing users to create accounts, wouldn't it be easiest to manage quota by MAC address? I am no tcp/ip engineer, so I don't know if this is even possible, but it sounds logical to me. This way it would be transparant to the end users. Once the quota is reached, they simply wouldn't be able to connect to the internet till the next month.

Is it possible to use the WLC or ASA somehow to track usage, and block via MAC? I see this feature in consumer routers like Linksys or Netgear, so I can't believe it doesn't exist in enterprise hardware.

Nicolas Darchis · ‎01-04-2011

Either there is a network management device (I'm not familiar with all NMS products) capable of it. Or if you do this through authentication, then you'd need all mac addresses to be allowed but tracked in order to track the quota for each. This is not possible with ACS as far as I know.

Maybe Cisco Access Registrar ? (I'm not familiar with that one either)

the main problem is if you do mac tracking, it's still not 100% because people can spoof other mac addresses. But ok, that limits already the number of people who can do it to a limited number.

Nicolas

Leo Laohoo · ‎01-04-2011

Have you tried "P2P Blocking Action"?

mstrz · ‎01-04-2011

I believe that just blocks users from seeing other users on the same wlan.

Nicolas Darchis · ‎01-04-2011

This is correct.

pablo · ‎11-22-2011

I will soon be purchasing an ASA 5505 , but I have used this device in one store where we offer free wifi.

Using opendns account you can adjust the bandwidth to slow down bittorrent types and then limit the lease time so that

they will not have enough time to download large files.

http://www.amazon.com/dp/B003KI1D2I/ref=as_li_qf_sp_asin_til?tag=wwwtopwebcred-20&camp=14573&creative=327641&linkCode=as1&creativeASIN=B003KI1D2I&adid=0MD6G5CSTP8H7JDCAYPW&&ref-refURL=http%3A%2F%2Fwww.socratesthemereviews.com%2F

I plan to use this in all of our locations unless I find a better solution with ASA 5505

It also solves your complexity issue in that you don't have to charge for access, just click on the accept terms and then click access. You can control the lease time of wireless clients.

This post is old and you may have found another solution, but I hope this helps.

Pablo