Technical Guidance Ref : ML-FSGUIDE for Complying with Version : 2.0 HEOA Provisions Date : April 8, 2012 Technical Guidance for College and University CIOs and CTOs in Complying with HEOA Provisions (Revision 1) Motion Picture Laboratories, Inc. 1 Technical Guidance Ref : ML-FSGUIDE for Complying with Version : 2.0 HEOA Provisions Date : April 8, 2012 CONTENTS 1 Overview .................................................................................................................. 3 2 General Technical Approaches ................................................................................ 4 3 Expanded Technical Information ............................................................................ 10 4 Other Campus Configurations and Concerns ........................................................ 28 5 Appendix A. Vendor List ........................................................................................ 31 6 Appendix B. The Higher Education Opportunities Act (HEOA) ............................. 48 7 Appendix C. Evolving Technologies Used for Illegal File Sharing ......................... 49 8 Appendix D. Glossary ........................................................................................... 52 9 Appendix E. References and Resources .............................................................. 56 10 Acknowlegements .................................................................................................. 56 Motion Picture Laboratories, Inc. 2 Technical Guidance Ref : ML-FSGUIDE for Complying with Version : 2.0 HEOA Provisions Date : April 8, 2012 1 OVERVIEW The goal of this paper is to provide technical guidance and information to college and university CIOs and CTOs, as they consider and adopt techniques to reduce illegal file sharing (Appendix C) on their campuses in the context of the Higher Education Opportunities Act (Appendix B). This paper updates and extends information gathered in 2008 by the Joint Committee of Higher Education and Entertainment Communities1, which at that time was interested in learning more about vendor solutions to reduce the unauthorized distribution of copyrighted materials. The authors hope this up-to-date distillation will make it easier to identify and adopt technical solutions for a variety of campus networks – the paper considers a range of technical possibilities to cover as many network topologies as possible. Briefly, general technical approaches to reducing piracy along with examples are described in Section 2 and detailed in Section 3. Comments on other situations campuses may face can be found in Section 4. A list of vendors and products referenced in these sections can be found in Appendix A. The goal is to identify vendors and we make no endorsements. It’s important to note that while CIOs/CTOs often think in terms of new equipment, the authors found that existing equipment may often be readily used to address illegal file sharing – in many cases, basic technologies are useful for both network management/security and reducing copyright infringements. The authors note that technology is only one aspect of a program to reduce illegal file sharing. Other components necessary for an effective program include copyright awareness and education. Note that critical legal and policy issues not addressed by this document are explored in numerous other references and can be found by following links in Appendix E. 1Information about the Joint Committee can be found here: http://www.educause.edu/EDUCAUSE+Major+Initiatives/JointCommitteeoftheHigherEduca/1204 Motion Picture Laboratories, Inc. 3 Technical Guidance Ref : ML-FSGUIDE for Complying with Version : 2.0 HEOA Provisions Date : April 8, 2012 2 GENERAL TECHNICAL APPROACHES In this section, we identify five broad categories of technical approaches that may be used to combat copyright infringement: Broadly categorized, Security Information and Event Management (SIEM) and Advanced Monitoring Solutions (AMS) recognize infringing activities and provide the technology and tools which can be used to implement graduated response. Both SIEM and AMS are generally passive technologies. Web filters and inline monitoring and IDS/IPS solutions recognize infringing activities and can provide the technology and tools to implement a graduated response. These technologies can also actively block the infringing activities. The following table highlights some considerations when deciding on a technology. Campus Goals Approaches to consider Technologies $0 budget Use what is on campus, particularly IPS, to block peer-to- Existing campus technologies, particularly IPS peer (P2P) file sharing. Potentially use local DNS and and DNS. firewalls to do simple site blocking for cyberlockers and Use SIEM (Snort2 is free) and AMS streaming sites. If there is no technology available, consider SIEM or AMS to identify issues and address BAYU3 is good if you have the hardware to them via help-desk. Strict consequences generally mean support it. fewer incidences. Can deploy equipment, Consider solutions that ‘block’ illegal file sharing, in AMS, particularly systems that respond to but staff overworked particular P2P and site blocking. violations. Inline blocking and IPS can virtually eliminate unwanted activities. Advanced Firewalls may also meet your needs. Staff, but no equipment Emphasize graduated response. Detect policy violations SIEM, AMS to detect violations. BAYU to inform and then act upon them. users. Automatically process notices with Automated Content Notice System (ACNS). Practical, reliable The best approach is a combination of technologies to Inline systems and AMS intelligently detect solution detect violations and a graduated response program unwanted activities which can be handed off to emphasizing education and consequences for actions BAYU or graduated response. Some behavior against your college or university’s network-user conduct might be excessive and merit ‘blocking’ outright, policies. which can be done with inline systems, IPS, DNS, or advanced firewalls. Be a thought leader For you, P2P is the easy part with many solutions. Opportunity is intelligent integration of different Challenge is effectively controlling download and technologies. streaming, but balancing these efforts with partial site traffic freedom. Consider site blocking when/if incidents arise that either are against your college or university’s network-user conduct policies or which otherwise adversely affect the operability of your campus network. Also challenging are servers on campus networks. Rotate lightweight solutions through campus to look for violations. Potentially put the responsibility on the student by having them opt-in to various access situations. 2 Snort (www.snort.org) is a free intrusion detection/protection system. 3 Be Aware You’re Uploading (BAYU), http://bayu.umich.edu/ Motion Picture Laboratories, Inc. 4 Technical Guidance Ref : ML-FSGUIDE for Complying with Version : 2.0 HEOA Provisions Date : April 8, 2012 It is important that goals be realistic and to recognize that the goal for technical measures is to reduce illegal file sharing and not to eliminate. It’s also important not to be distracted by information concerning the robustness of any solution surrounding illegal file sharing. There are countermeasures for almost every technology described in this paper. However, in practice the above techniques have been proven effective at colleges and universities across the country. It will require work and diligence, but in the end you can create an effective and manageable system. It should also be noted that many corporations use very similar techniques to limit the access of their employees to engage in similar or even more expansive activities (e.g. access to social media sites). We recommend that any solution selected have mechanisms that allow community members to opt-in to obtain access to restricted technologies and sites for non-infringing uses. The opt-in can range from an automated mechanism (for example, a click-through “day pass” for P2P) to a more generalized approach (for example, terms of use permitting students to use P2P if they’re willing to accept more severe sanctions if they receive a DMCA notice). 2.1 Security Information and Event Management (SIEM) and Network Behavior Analysis (NBA) SIEM is a low cost, entry-level approach to reducing copyright infringements on campus. Created over a decade ago, SIEM technology compiles “transactions” or “events” generated by systems, applications, databases, and network devices such as routers, switches, and hubs. Summaries of network events are collected and analyzed to determine what’s happening on the network. This enables network administrators to create alarms that signal certain network conditions (such as specific events or when particular thresholds are reached) that you and your professional staff will want to address. For example, a systems administrator might set a threshold on the maximum traffic per day to individual computers on the residential network; if this were exceeded, it would be considered an event. While traditional log management tools exist, SIEM is a superset of functionality, which includes not just logs, but event interpretation, and analytics to determine proper courses of action based on those events. Pros Cons Offers a low cost entry point for various types of reporting and Devices must be configured to produce and write compliance. logs. This is relatively basic, but assumes that the The device that accumulates these logs