Security Research

Bandwidth Battle: How Entertainment is Strangling Education on Higher Ed Networks

The next time a college or university considers an expensive upgrade to its network to accommodate growing demand, it might be good to remember that the increased demand isn't necessarily owing to greater use of the course management system or student retention program. According to recent research, more than three-quarters of all bandwidth consumed on campus is actually taken up with applications that fall into the categories of gaming, social networking, media, file sharing, and Web browsing.

Peer to peer (P2P) file sharing all by itself takes up a whopping 22 percent of total bandwidth. Plus, the research found that students are taking extra steps to conceal their online activity, belying the notion that university networks are considered "open" by their users.

The examination of higher education environments was done as part of a broader assessment of business networks by Palo Alto Networks, which sells firewalls and access network control products. Palo Alto often installs a demonstration firewall on a prospect's network to monitor activity--typically what travels through the Internet gateway--and then generates a report based on seven days' worth of application and threat activity.

"We'll produce the report and meet with the CIO and the security team and say, 'This is what we found,'" explained Product Marketing Manager Matt Keil, author of the report."Nine times out of 10, [they'll respond], 'Wow, I didn't know it was that bad,' or, 'Wow, I knew there was a lot of entertainment on my network, but I didn't realize it was chewing X percent of my bandwidth. We need to do something about this.'"

For the research report focused on education, titled "Academic Freedom or Application Chaos?" and available with registration, the company compiled data from the 35 university network assessments it had performed over the course of 18 months to measure the amount and type of data traffic traversing the Internet gateway. During the brief period the networks across those universities were monitored, the Palo Alto appliances detected 589 different applications in use, guzzling 64 TB of data.

Pervasive P2P
Of the applications found in use on university networks, 203--more than a third--fell into categories not directly related to the business of higher education. These applications for file sharing, Internet browsing, audio streaming, social networking, and gaming sucked up about 78 percent of total bandwidth and generated 48 TB of data. Because of the open nature of networks on campus, the author wrote, "blocking them is not really an option."

"What that tells me there is that 22 percent of the bandwidth is all the universities have [left] to run their business applications, things like Oracle, Sybase, SAP, or a finance application," Keil observed. It's also why quality of service (QoS) functionality is becoming popular on campus. QoS products allow administrators to throttle bandwidth according to the type of application making the request.

The report said that it's not unexpected that P2P exists on university networks--34 of the 35 networks monitored had them present. But Keil was surprised by the volume of P2P traffic found. The most common program for this form of file sharing is BitTorrent, which appeared on nine out of 10 university networks and single-handedly chewed up an average of nearly 18 percent of the total bandwidth traversing the Internet gateway.

Although the Recording Industry Association of America (RIAA) has claimed it has backed away from its practice of suing individual users who share copyrighted material, other threats still exist. The RIAA still pursues service providers--such as universities--to cut those users off from Internet access. Also, P2P is an efficient method to deliver malware into networks, unbeknownst to users. For example, the Mariposa botnet is most commonly delivered into networks through P2P applications (though it can also turn up through IM messages with links and USB drives). Once the bot has found a home on a network, it arbitrarily downloads executable programs on command, extending its capacity for introducing other malicious software. The company reported that one university with "open application usage policies" had about 250 Mariposa-infected clients, an infection rate of 2 percent. Another school, which used automated means to control P2P usage, has seen only a few infected clients.

Browser-based file sharing services have also gained a foothold in higher ed. Palo Alto defines these in the report as legitimate applications that do file sharing, such as YouSendIt; provide file storage, such as Box.net; and allow for public domain publishing, such as DocStoc. Some users have discovered that these are efficient means for transferring large files--such as music or movies--across port 80 or port 443, while still looking like normal Web traffic. An average of 11 browser-based file sharing applications was found on university networks; MegaUpload was the most common, showing up on 74 percent of participant networks. The most bandwidth intensive was RapidShare, which transported a terabyte of data out of a total of 1.7 terabytes for this category.

Surfing Under Cover
The study discovered that a large number of users perform covert Web activities through the use of external proxies, encrypted tunnels, and remote access applications. This pervasive existence of programs or services that can mask activities was what surprised Keil most, he said. "If the university has an open network, traditionally, then what are reasons why students are using proxies, which are primarily a mechanism for avoiding URL filtering?" he asked.

The report identified two types of proxies that can be used to bypass security controls. One is a private proxy, software installed on a machine outside of the university network and used by a single user. The user then browses to this external proxy as an unmonitored way to browse the Web. The two most common--aside from HTTP proxy, which, the authors pointed out, has legitimate uses--are CGIProxy and PHProxy. The other is a public proxy or proxy service. To use one of these, the user visits any one of thousands of Web sites that will anonymize his or her identity while online.

The challenge posed by either means of anonymous surfing, the report said, is that because the traffic looks like "normal Web browsing and most security policies allow this type of traffic to pass unfettered,... students are bypassing any control efforts including threat inspection, exposing the university to unnecessary security risks."

Along the same lines, encrypted tunnel applications also enable users to hide their activities. While many are legitimate and probably endorsed by the institution (such as IPSec), others are far less likely to be used for university business. Palo Alto said it believes the existence of the latter type of program on the network suggests that users are either bypassing security controls and policies or they're extraordinarily concerned about their personal privacy.

For example, The Onion Router (TOR), which appeared on networks at 15 of the universities, was developed, the report said, "by the US military as a means of secure communications over the early version of the Internet, known as DARPA." As the report explained, the data in the message is broken up into a bunch of pieces, each sent via a different node so that no one recipient can intercept the entire message. The data is only recompiled once it reaches the final recipient. "It's not very easy to set up," said Keil. "If you're using TOR, then you're definitely trying to hide something."

The report also gives a nod to remote desktop control applications. These are programs that allow IT people to help users with PC problems remotely. But, the report pointed out, they can also mask network activity. With Remote Desktop Protocol (RDP), which is commonly included with operating systems, a user can "easily configure their PC to connect to an external PC and from there can run any application they desire--swap files, run a P2P application, listen to music, surf the Web."

Playing Catch-up
"Network administrators are very smart people," Keil said. "They know what's going on in their network to a certain extent. They just don't know the level to which bandwidth is being consumed or the amount of peer to peer that's there."

The challenge administrators face in tightening down network controls, Keil said, is that the while the software and users themselves have evolved rapidly, the tools that IT and security teams have at their disposal have not kept up. "Otherwise, they wouldn't see threats from the RIAA coming on a daily basis," he said. "The tools have lost visibility into what's going on in the network--which is why so many of our customers say, 'Wow, I didn't know it was that bad.'"

comments powered by Disqus