Routers on campus network

[Thyme]

I'm a college student who is quite the geek and I have multiple computers in my dorm room. I need them to be able to connect to each other (via NetBIOS and others). Seems simple, eh? Well, the people who do the networking are going on witchhunts to get rid of all routers. Most of it, I believe, is because people have unsecured wireless networks and it lets others get on and wreck havoc. So instead of educating users or only suspending those that are causing problems, they just make a blanket no-router policy.

However, there is another thing. They also say that there is some problem with certain routers and I believe DHCP that is causing entire dorms or large segments of the network to go down. Has anyone ever heard that line? Doesn't that indicate they have problems setting up the network correctly?

 

[randal]

http://forums.anandtech.com/messageview...atid=36&threadid=1644399&enterthread=y

 

[phisrow]

Rogue DHCP is nasty and, so far as I know, none to easy to prevent without a lot of tedious client side twiddling(which any corporate network admin should be able to do; but is pretty much impossible in a school setting, unless the admins are psycho network nazis). It should only happen if you foolishly connect a LAN side port on the router to the school network; but I've no doubt that plenty of meatheads have done just that, and there have probably been routers shipped with broken configs, too.

Are they alright with switches where you are?

 

[LOFBenson]

If you need a network service petition the college IT infrastructure to provide it for you. That is what they are there for. Work the system. Don't go around it. Plugging in a misconfigured router into almost any network can make said network unusable.

 

[Thyme]

Switches: Yes they allow switches, but that will give me absolutely nothing. I need for my computers to be able to talk to each other using services blocked (like netbios, for obvious reasons)

As far as I know, my router is configured correctly. I had ethernet from the wall connected to the WAN port where it shouldn't be broadcasting a DHCP server. They don't care if it's configured correctly or not, though. They are eliminating ALL routers. They have no process for allowing legitimate routers. "Upper management" wants to get rid of all of them. There haven't been any problems with my internet or with the internet of the numerous people who would have come to me.

As far as Rogue DHCP servers, they do look like they're a big problem, but there are better ways of dealing with that then scanning for routers and disabling the ports. It seems like there are ways of fairly-reliably detecting such as scanning each subnet for port 67, setting up honey pots to ask for IP addresses. What about http://security.itworld.com/4363/ITW3542/page_1.html ? That should be able to routinely detect most of them, and the ones that don't, can be easily found when they call and complain using arp -a. There are a ton of students that could be affected, but the resources would be better spent in educating and preventing than eliminating every potentially useful router. This brute force method of dealing with the issue is simply lazy and a display of their general incompetence.

 

[RedCOMET]

Its their network, they can dictate the terms of service and use.

My university doesn't allow routers in the dorms. Its one port per device. Sometimes, ports get automatically disabled if you have more than 1 adapter on your pc. But, i beleive if the switch detected a router, it would shutdown your port.

For our school, 802.1x is used to authenticate users on the dorm networks. So if you had a router, and it couldn't authenticate then you were SOL. Also, for your pc to authenticate, you had to use a client program provided by the university.

For me, I couldn't even play XBOX live in the dorms becuase of the stupid 802.1x authentication. that pissed me off more than not be able to use a router.

As others have suggested, talk to the IT staff about a possible solution, or how such a draconian policy came into effect and ways to better educate the res hall users.

 

[n0cmonkey]

Educating the users doesn't work. It never has.

 

[spidey07]

Originally posted by: phisrow
Rogue DHCP is nasty and, so far as I know, none to easy to prevent without a lot of tedious client side twiddling(which any corporate network admin should be able to do; but is pretty much impossible in a school setting, unless the admins are psycho network nazis). It should only happen if you foolishly connect a LAN side port on the router to the school network; but I've no doubt that plenty of meatheads have done just that, and there have probably been routers shipped with broken configs, too.

Are they alright with switches where you are?

As an aside there are switches out there that can prevent rogue DHCP servers. You basically tell the switch "don't allow DHCP servers on the user ports" and the switch will shut down the port if it sees and DHCP server side packets.

But there are more serious problems with routers and they should not be allowed on a campus network.

 

[tuteja1986]

if you want just want to practice with router , a really good software called Network Visualizer. Bassically a software you can build huge network. each router will have its own Cisco ios and all client machine will have CMD : ) check the software out because it helped me pass CNNA course without actually going to any labs ;*( .

http://www.routersim.com/ >> Router sim

 

[Atheus]

There is no way they can detect if you have a router or not as long as it is properly configured. Just close all incoming ports, don't reply to pings, don't serve dhcp on the WAN side, don't use wireless, do use NAT.

A switch would also give you what you want, but they might be able to detect that you had more than one machine behind the switch by sniffing arp who-has requests.

 

[spidey07]

Originally posted by: Atheus
There is no way they can detect if you have a router or not as long as it is properly configured. Just close all incoming ports, don't reply to pings, don't serve dhcp on the WAN side, don't use wireless, do use NAT.

A switch would also give you what you want, but they might be able to detect that you had more than one machine behind the switch by sniffing arp who-has requests.

Yes you can detect a router. A switch as well. And depending on the infrastructure, a wireless access point (an AP attached to their switch port is extremely easy) or adhoc wireless net.

If they don't want routers on their net and it's against the use policy, then don't do it. There are very valid reasons for not wanting them.

 

[Thyme]

Originally posted by: RedCOMET
Its their network, they can dictate the terms of service and use.

My university doesn't allow routers in the dorms. Its one port per device. Sometimes, ports get automatically disabled if you have more than 1 adapter on your pc. But, i beleive if the switch detected a router, it would shutdown your port.

For our school, 802.1x is used to authenticate users on the dorm networks. So if you had a router, and it couldn't authenticate then you were SOL. Also, for your pc to authenticate, you had to use a client program provided by the university.

For me, I couldn't even play XBOX live in the dorms becuase of the stupid 802.1x authentication. that pissed me off more than not be able to use a router.

As others have suggested, talk to the IT staff about a possible solution, or how such a draconian policy came into effect and ways to better educate the res hall users.

It's their network that I'm forced to use by living here (turned out to be a mistake not to get an apartment...). It's also their building, but you wouldn't tell me to play by the building rules if they made something like "no color TVs allowed" or something asinine.

We also have to authenticate, but that's new this year. They let you register your MAC address to play the consoles online.

The guy I talked to on the phone said he'd let me know if they came up with a "solution," but they are not going to be able to do that, I'm fairly sure.

 

[Thyme]

Originally posted by: n0cmonkey
Educating the users doesn't work. It never has.

I didn't say it would be a cure for the problem, but it would eliminate some of the problem, as would detecting. The rest could be handled reactively.

 

[Thyme]

Originally posted by: spidey07

Originally posted by: phisrow
Rogue DHCP is nasty and, so far as I know, none to easy to prevent without a lot of tedious client side twiddling(which any corporate network admin should be able to do; but is pretty much impossible in a school setting, unless the admins are psycho network nazis). It should only happen if you foolishly connect a LAN side port on the router to the school network; but I've no doubt that plenty of meatheads have done just that, and there have probably been routers shipped with broken configs, too.

Are they alright with switches where you are?

As an aside there are switches out there that can prevent rogue DHCP servers. You basically tell the switch "don't allow DHCP servers on the user ports" and the switch will shut down the port if it sees and DHCP server side packets.

But there are more serious problems with routers and they should not be allowed on a campus network.

Like?

 

[Thyme]

Originally posted by: tuteja1986

if you want just want to practice with router , a really good software called Network Visualizer. Bassically a software you can build huge network. each router will have its own Cisco ios and all client machine will have CMD : ) check the software out because it helped me pass CNNA course without actually going to any labs ;*( .

http://www.routersim.com/ >> Router sim

I'm not trying to get practice with routers. I need to use routers so that my computers can connect to each other. See OP.

 

[spidey07]

Originally posted by: Thyme

Originally posted by: spidey07

Originally posted by: phisrow
Rogue DHCP is nasty and, so far as I know, none to easy to prevent without a lot of tedious client side twiddling(which any corporate network admin should be able to do; but is pretty much impossible in a school setting, unless the admins are psycho network nazis). It should only happen if you foolishly connect a LAN side port on the router to the school network; but I've no doubt that plenty of meatheads have done just that, and there have probably been routers shipped with broken configs, too.

Are they alright with switches where you are?

As an aside there are switches out there that can prevent rogue DHCP servers. You basically tell the switch "don't allow DHCP servers on the user ports" and the switch will shut down the port if it sees and DHCP server side packets.

But there are more serious problems with routers and they should not be allowed on a campus network.

Like?

Bad routes, a router proxy arping for the entire subnet (effectively replying to arps for the default router), dhcp servers.

Also software errors in the SOHO router code itself that can cause all kinds of funky stuff, like creating a loop or broadcast/packet storm.

I've seen them bring entire campuses down. But the more frequent is just a building or subnet.

Its good to see universities stepping up and doing something about it, especially using 802.1x.

-edit-
If you want your computers to connect to each other then through a second NIC in each one and run a small network. This way you're not breaking any use policies and you can share files and what not.

 

[Atheus]

Originally posted by: spidey07

Originally posted by: Atheus
There is no way they can detect if you have a router or not as long as it is properly configured. Just close all incoming ports, don't reply to pings, don't serve dhcp on the WAN side, don't use wireless, do use NAT.

A switch would also give you what you want, but they might be able to detect that you had more than one machine behind the switch by sniffing arp who-has requests.

Yes you can detect a router. A switch as well. And depending on the infrastructure, a wireless access point (an AP attached to their switch port is extremely easy) or adhoc wireless net.

I think not, how would you tell the difference between a linux router running NAT and a linux pc?

 

[spidey07]

well if I told you how I can tell then that would be giving away a secret that I don't want college kids to have.
😉

But the clue is one is a router and the other a host.

 

[Atheus]

Originally posted by: spidey07
well if I told you how I can tell then that would be giving away a secret that I don't want college kids to have.

/Edit: guesses removed as they turned out to be accurate... suffice to say there is indeed a method to detect it, and also a way to work around that method. Thanks for the PM.

 

[RedCOMET]

Originally posted by: Thyme

It's their network that I'm forced to use by living here (turned out to be a mistake not to get an apartment...). It's also their building, but you wouldn't tell me to play by the building rules if they made something like "no color TVs allowed" or something asinine.

We also have to authenticate, but that's new this year. They let you register your MAC address to play the consoles online.

The guy I talked to on the phone said he'd let me know if they came up with a "solution," but they are not going to be able to do that, I'm fairly sure.

I'm sure if they didn't want color tv in the dorms, they would either not allow cable service to the dorms or just filter the color out of the cable signal.

 

[n0cmonkey]

Originally posted by: Thyme

Originally posted by: n0cmonkey
Educating the users doesn't work. It never has.

I didn't say it would be a cure for the problem, but it would eliminate some of the problem, as would detecting. The rest could be handled reactively.

It doesn't work, at all. Not even a little bit. 🙁

 

[Thyme]

Originally posted by: Atheus

Originally posted by: spidey07
well if I told you how I can tell then that would be giving away a secret that I don't want college kids to have.

/Edit: guesses removed as they turned out to be accurate... suffice to say there is indeed a method to detect it, and also a way to work around that method. Thanks for the PM.

I don't doubt that. Working around it probably wouldn't be that hard, but I'm really not interested, since I'm concerned with the policy itself.

 

[Thyme]

Originally posted by: RedCOMET

Originally posted by: Thyme

It's their network that I'm forced to use by living here (turned out to be a mistake not to get an apartment...). It's also their building, but you wouldn't tell me to play by the building rules if they made something like "no color TVs allowed" or something asinine.

We also have to authenticate, but that's new this year. They let you register your MAC address to play the consoles online.

The guy I talked to on the phone said he'd let me know if they came up with a "solution," but they are not going to be able to do that, I'm fairly sure.

I'm sure if they didn't want color tv in the dorms, they would either not allow cable service to the dorms or just filter the color out of the cable signal.

Come on. It was an analogy. My point is just beacuse it's what "they" want, doesn't mean we should have to accept it if it's a bad policy.

 

[Thyme]

Originally posted by: n0cmonkey

Originally posted by: Thyme

Originally posted by: n0cmonkey
Educating the users doesn't work. It never has.

I didn't say it would be a cure for the problem, but it would eliminate some of the problem, as would detecting. The rest could be handled reactively.

It doesn't work, at all. Not even a little bit. 🙁

I disagree. If they disabled routers by default, then made a list of things you have to do to be able to use one, people would follow the list. If they enabled routers by default and made that same list, I know I would use and I would encourage the few others who even want to run routers to follow the list, too.

Even if you were to say that students are not responsive to anything, there are proactive ways of detecting the problems that don't involve shutting down legit routers.

 

[RedCOMET]

Originally posted by: Thyme

Originally posted by: RedCOMET

Originally posted by: Thyme

It's their network that I'm forced to use by living here (turned out to be a mistake not to get an apartment...). It's also their building, but you wouldn't tell me to play by the building rules if they made something like "no color TVs allowed" or something asinine.

We also have to authenticate, but that's new this year. They let you register your MAC address to play the consoles online.

The guy I talked to on the phone said he'd let me know if they came up with a "solution," but they are not going to be able to do that, I'm fairly sure.

I'm sure if they didn't want color tv in the dorms, they would either not allow cable service to the dorms or just filter the color out of the cable signal.

Come on. It was an analogy. My point is just beacuse it's what "they" want, doesn't mean we should have to accept it if it's a bad policy.

Good policy, bad policy... its still a policy that you have to abide by if you use THEIR network. Think of speed limits on roads. If you are speeeding and get caught, you don't tell the officer you think the speed limit is bad, or too low, do you ?