I am at the University of Florida. It has gotten very hard to filter by simple rules.
We run a firewall blocking TCP above 1024 with only 7 exceptions (like Global Catalog for domain logins). Blocking UDP had to be done by source since one program can use hundreds of ports.
We run traffic analysis to id the latest P2P sharing systems and enforce the policy against use by disabling the recipient’s IP address. Draconian, but it works since the students and staff must have access for work and classes. This is not cheap. The network interdiction squad updates known transgressors daily.
In the battle between “No, you can not do that.” and “We want it.” We start with top level policies backed by the administration. They apply to ‘everyone’ from the President down to visitors in the computer labs in study areas and libraries. New systems are scanned for up to date patches, up to date antivirus files, before getting an IP address with network access. This quarrantine process helps tremendously.
My suggestions are – 1. policies in place and fully supported. 2 – Standardized setup and network permissions whenever possible. 3 – multi-level firewalls, level 1 and level 2 are losing the battle. Level 3 is still very expensive but it can handle tunneling apps. 4 – Get employee/user buy-in. When they understand that tomorrow’s employment for all, depends on their individual behavior today, peer pressure can work.