Preventing internet traffic from being snooped - legitmit reason

[spidey07]

In this thread we see the people who actually do it vs. the people that don't.

I kinda miss our annual "how do I get around stupid draconian university network policy" posts that come around September.

 

[heymrdj]

LOL, this forum is indeed better than ATOT now. So many armchair network admins...it's great. Trollolol.

Lots and lots of schools use NAC to force things like this. Perfigo (no Cisco Clean Access) is extremely popular in the dorms of these institutions. The key here is that if you don't like it, you don't have to use the network.

Network administration on this scale must be proactive, not reactive. If you wait until there's a problem with a host (whether that be a virus or excess BT traffic, or whatever) and then address that host individually, your network will never work. Remember, we're talking about thousands of unmanaged nodes on this network. You don't have the fortune to join them all to an AD domain, so you can't use GP to restrict potentially dangerous activities. The most efficient way to police this type of network is to block restricted services outright. That means tools like Clean Access to force antivirus and update policies and aggressive firewalling.

You think the network administrator should wait for a problem and then go to the student's dorm and unplug them manually. You'll need 50 techs under you to police that type of network. I can run the same network with 2 techs, and provide the same level of security and the same level of quality. These tools exist for a reason and they're used for a reason.

Additionally, you do know that the school is liable for anything and everything downloaded from within its network. Whether that is music, movies, CP, whatever. Doesn't matter. Easier for the school to block access to BT or TOR or usenet or other types of services than to deal with individual DMCA cease and desist notices. It's an accounting nightmare.

You'd know all this if you'd ever actually managed a large unmanageable network.

Hmm somone's panties are in a bunch . Time for you to go on a break and have some juice.

IT staff under me is 5. The network is indeed proactive, but with live human faces that work with the students to ensure that what they need is being satisfied in justified means.

However, this is a school of intelligence and learning. We can't stifle the students to running OS's that are supported by our NAC, because the NAC is fairly limited (Windows, Mac, some Linux, no UNIX). So while we proactively cover things, we also have to enable exceptions on certain semesters to certain groups of students to get things done.

As for BT, we run a BT service for the students so that they can get what they need, and http it to their dormatory. That way we don't have to have BT running to each room.

As for gooneys mentioning of a AP not connected to the internet, it didn't matter at the time. The wireless AP's attacked all wireless AP's that weren't registered under Blue Socket. Internet enabled or not.

And to spidey07, I know there's a different way to manage things than your way. You've been proven wrong before, you're only but a little human. Try not to be so condescending to things you don't understand.

 

[imagoon]

Hmm somone's panties are in a bunch .

Just realized this wasn't at me! Maybe I do have a pole up there someplace

 

[thecoolnessrune]

The part you are missing is really simple: It isn't your network. You can choose to not install the package, but then you are choosing not to use the school network. It is extremely common to require a "security pack" for many schools now because they became tired of the people that never did updates and never bothered with antivirus spamming crap across the LANs and bittorrenting the bandwidth away. Many use NAC tools now, force a copy of some AV on to the machine, register the mac address and force you to use a NAC tool on the machine otherwise you get sent to the "/dev/null" vlan.

PS these "sub par" universities you mention include places like MIT, Harvard, nearly all private schools I have done work with and coming close to 75%ish of the state schools.

While like in my post itself I understand your point, I think you missed my point in a desire to make your own. If you read what I posted, you'll see that I think it is indeed the right of the schools to do what they wish, however I'm saying that *I* would not attend such a school, because my privacy is worth more than the services they would offer me (And yes, while I realise many people get caught up in the big names of MIT, Harvard, etc, we are blessed with being in the IT field that does not require coming from a super-school to be hired).

When I was doing my undergrad, I was doing real, hands-on things that needed simple things that are almost always cut off in schools. Things such as VPN, remote desktop, and SSH. To be productive in many of our projects, we needed access to computers kept in lab rooms well past the late-night cutoff. Fortunately, we had a network admin that understood our needs, and worked with us to implement proper channels for us to work in, by crafting the networking services dynamically around the *students*, not the other way around. It was the bonus of a smaller university I suppose, but one I'll enjoy above the policies of "big" schools any day.

 

[imagoon]

While like in my post itself I understand your point, I think you missed my point in a desire to make your own. If you read what I posted, you'll see that I think it is indeed the right of the schools to do what they wish, however I'm saying that *I* would not attend such a school, because my privacy is worth more than the services they would offer me (And yes, while I realise many people get caught up in the big names of MIT, Harvard, etc, we are blessed with being in the IT field that does not require coming from a super-school to be hired).

When I was doing my undergrad, I was doing real, hands-on things that needed simple things that are almost always cut off in schools. Things such as VPN, remote desktop, and SSH. To be productive in many of our projects, we needed access to computers kept in lab rooms well past the late-night cutoff. Fortunately, we had a network admin that understood our needs, and worked with us to implement proper channels for us to work in, by crafting the networking services dynamically around the *students*, not the other way around. It was the bonus of a smaller university I suppose, but one I'll enjoy above the policies of "big" schools any day.

Good point. I also did miss your point. Most of the big schools will work with you also, you just need to go to the local "division's" group. Where I went, the networking instructors did have a specialized networking lab that was basically open. They then had a single port that linked in to the to the normal network with most stuff blocked. Don't need to be advertising DHCP, STP, OSPF and BGP in to the main core for example. This is the same group that let me setup a "metro net" on lightstream 2020's for all the "islands." [different tables were little IT islands to simulate other locations.] That was my first experience with T3, ATM and tunneling IP over the ATM frame network.

 

[spidey07]

Good point. I also did miss your point. Most of the big schools will work with you also, you just need to go to the local "division's" group. Where I went, the networking instructors did have a specialized networking lab that was basically open. They then had a single port that linked in to the to the normal network with most stuff blocked. Don't need to be advertising DHCP, STP, OSPF and BGP in to the main core for example. This is the same group that let me setup a "metro net" on lightstream 2020's for all the "islands." [different tables were little IT islands to simulate other locations.] That was my first experience with T3, ATM and tunneling IP over the ATM frame network.

You're old. LANE is for suckers.

 

[freegeeks]

who cares, I worked for a couple of Fortune 100 companies and I have been working in a lot of different networking environments (I'm a CCNP certified freelance network consultant). In all off them I was able to setup a ssh session and tunnel my traffic

 

[spidey07]

who cares, I worked for a couple of Fortune 100 companies and I have been working in a lot of different networking environments (I'm a CCNP certified freelance network consultant). In all off them I was able to setup a ssh session and tunnel my traffic

Then those companies fail at security. You never allow SSH out without proxying it.

 

[imagoon]

You're old. LANE is for suckers.

I am going to go cry in to my server racks.

 

[spidey07]

I am going to go cry in to my server racks.

It's ok. I still ARP you, even if you're emulating.

<read i still heart you, even if you're ovulating>

 

[freegeeks]

Then those companies fail at security. You never allow SSH out without proxying it.

I have worked with a lot of "security" people in the last 12 years. Let's be honest, the majority are paper certs and have no clue about networking in general. They just push rules using their fancy GUI. If you mention "local preference" or "MED" to them they look at you in bewilderment. When I said I was not an "expert" in ssl it was just to test some of the responses. Transparant ssl proxy is a fancy word now but everyone who knows something about networking knows when his traffic is being filtered. Getting to the outside world is sometimes as simple as setting up a ssh session on port 80 or 443. Our a double tunnel through a jump server, ....

 

[spidey07]

I have worked with a lot of "security" people in the last 12 years. Let's be honest, the majority are paper certs and have no clue about networking in general. They just push rules using their fancy GUI. If you mention "local preference" or "MED" to them they look at you in bewilderment. When I said I was not an "expert" in ssl it was just to test some of the responses. Transparant ssl proxy is a fancy word now but everyone who knows something about networking knows when his traffic is being filtered. Getting to the outside world is sometimes as simple as setting up a ssh session on port 80 or 443. Our a double tunnel through a jump server, ....

True. And packet shapers and netflow are good at recognizing applications regardless of port number.

 

[freegeeks]

True. And packet shapers and netflow are good at recognizing applications regardless of port number.

there is corkscrew, httptunnel, .... :sneaky:

and if all else fail, just use 3G and tether away :biggrin:

my point is that security is always a balance between the needs of the users and the real security concerns of a network admin. In my 10+ years of experience, there is almost always a way to tunnel to the outside world in some way or another