Routers on campus network

[Thyme]

Originally posted by: spidey07
Yeah, that was good times. I think I still have a piece of the router after was smashed it to bits.

OP - you can accomdate your needs without a router.

Also keep in mind that the problems aren't always configuration related, but software bugs in the devices themselves.

Some things I can accomodate without a router, but others I cannot. They block things like netbios(for obvious reasons), and I wouldn't want to to tunnel it. The benefits to my security from using a router are significant. I also expect to be working from school remotely, and for various reasons, a router will be needed.

I can appreciate the software problems being a more important problem than configuration. Again, though, they'd have a short list of all the routers if they were detected. Do they result in problems that are impossible to detect?

 

[n0cmonkey]

Originally posted by: Thyme
Well obviously you speed because the benefit of speeding is worth the risk*penalty. If they make overtly going against the policy more likely to get caught with a harsher penalty, people won't do it.

How much easier is to track down problems when all detected routers are banned than when only bad-behaving routers are banned? If they can detect all routers on a subnet, then they have a shortlist when these issues come up. If you prohibit all routers, it will be again like the speeding example: the benefit from making your router not look like a router becomes significantly greater than if routers are allowed, but if a hiding router is behaving badly, it will be much harder to find than looking it up on the list of routers.

I appreciate them being proactive about it, but there are things they can try before this draconian, brute-force method.

They did try something, they tried to trust the users. Obviously the users betrayed that trust.

Some things I can accomodate without a router, but others I cannot. They block things like netbios(for obvious reasons), and I wouldn't want to to tunnel it. The benefits to my security from using a router are significant. I also expect to be working from school remotely, and for various reasons, a router will be needed.

I can appreciate the software problems being a more important problem than configuration. Again, though, they'd have a short list of all the routers if they were detected. Do they result in problems that are impossible to detect?

Not if a new router comes in and starts causing issues immediately.

Come up with a solution, technical and political, that allows routers and ensures that previous issues don't happen again. Post it, I'd be interested in reading it.

EDIT: If you have a local switch the netbios traffic should never reach their switch to be denied.

EDIT2: Remember, your solution should cut down on the administrative work the probably already over worked admins have to do.

 

[LOFBenson]

I can't think of anything standard that needs NETBIOS that requires a router in your situation. At the most you might need extra network cards, extra cat5, and a switch. A computer can be on 2 different networks without being a router. (Although you campus may have a policy about that too...) Tunneling over VPN/IPSec is significantly more annoying than having a separate network but it is still certainly possible to do also.

 

[spidey07]

See, this is my problem with these threads that we get year after year.

a solution has already been provided and yet the student is so much more "knowledgible" as to question the very sound decisions of the university.

You don't need a router.

waaaa, but I wanna do it my way.

Touch sh!t. Its their network. They dictate what you can and cannot do.

Now use your intelligence to provide what you need instead of blaming the "management"

If you need to share files attach one computer to the campus network, slap another NIC in it and attach to a hub/switch. Plug other computers into this hub/switch and you're all set.

view the Uni's port as an untrusted and protected network and accomodate services interally as needed.

 

[blemoine]

why can't you connect to the other pc like so \\<ipaddress>\share. seems to be the most logical answer if you ask me.

 

[Blades]

Haven't read any of the replies but a disabling the DHCP server on your router and issuing static IP addresses different from the scheme of your colege would work..

Heres a question.. Why the hell would you use a router? Why don't you just buy a cheap small 4 port switch and uplink it to your campus? Seriously.. WHY?!

I don't really get it tho.. If your college network admins were smart they would create VLANs for each building and not get shut down completely by IP addy problems. If they were having such a problem because little noobs were putting up routers (not calling you a newb) and leaving default settings on then they should start issuing IP addresses well above the default settings.. for example.. 192.168.4.100 to 192.168.254.254.. no?

So then the people who have routers plugged in would just be screwing each other over..

Shouldn't the router only be issuing people connected to that router IP addy's? Unless people are running business-class routers or stacking on a switch in their dorm room.. that would be a max of 4, maybe 8 clients?

So again, why not a switch???

edit: ahh, i know why.. Shut up and tunnel.. Or get a cable modem and vpn.. If you don't require a large pipeline.. Setup a dial up server and use your cell phone as a modem.. I agree with blemoine.. use the ip addy.... Or perhaps something like netdisk (www.ximeta.com) if you want to share files...

 

[Genx87]

I dont see why a switch wouldnt work in this situation. Netbios on your switch wont be blocked because the bits wont get past your switch.

 

[DidlySquat]

lots of people here are power obsessed network admins, whose jobs consists of getting angry everytime there is a problem and blaming the "stupid" users for everything. To make their job easier they keep trying to restrict users, so they can have more time to keep posting infinetly in online forums while they are at their work ("I'm getting paid to surf online and consume the network bandwidth"). People please don't listen to these selfish retards, as they will always side with other admins and try to restrict users. Even here the little spiders try to restrict information about networking just like in kgb controlled soviet russia, this is how these people operate.

 

[n0cmonkey]

Originally posted by: DidlySquat
lots of people here are power obsessed network admins, whose jobs consists of getting angry everytime there is a problem and blaming the "stupid" users for everything. To make their job easier they keep trying to restrict users, so they can have more time to keep posting infinetly in online forums while they are at their work ("I'm getting paid to surf online and consume the network bandwidth"). People please don't listen to these selfish retards, as they will always side with other admins and try to restrict users. Even here the little spiders try to restrict information about networking just like in kgb controlled soviet russia, this is how these people operate.

WTF are you talking about?

Why the hell is your sig so long?

EDIT: Deal with users for a while, then tell me they aren't stupid. 😛

 

[Boscoh]

Originally posted by: DidlySquat
lots of people here are power obsessed network admins, whose jobs consists of getting angry everytime there is a problem and blaming the "stupid" users for everything. To make their job easier they keep trying to restrict users, so they can have more time to keep posting infinetly in online forums while they are at their work ("I'm getting paid to surf online and consume the network bandwidth"). People please don't listen to these selfish retards, as they will always side with other admins and try to restrict users. Even here the little spiders try to restrict information about networking just like in kgb controlled soviet russia, this is how these people operate.

You're a moron.

The job of a network admin is to make sure the network is available for business use. In this case, their job is to make sure the network is available for the use of student research. Being responsible for making sure the network can be used for it's intended purpose often means restricting users from doing things they shouldn't be doing.

User education is a very important thing, but it often doesn't work. Using the company or university network for your own leisure is addicting, and even though people might understand what it's true purpose is, that does not mean they will actually use it for that purpose. Putting restrictions in place on a network is to A) protect the network from security threats augmented by users doing things they shouldn't, and B) to keep the network from being saturated with traffic that doesn't serve the primary use of the network. Both of those factors contribute to one major goal: keeping the network constantly available to serve its primary goal.

Network admins that put restrictions in place for other personal reasons, or to satisfy a 'power hunger' are wrong for doing so. User's who dont listen should be dealt with administratively. Technical solutions are there to protect the availabity, integrity, and the confidentiality of the network and the data that flows across it. Administrative solutions often take time to be processed and enacted, whereas a lot of technical solutions can be implemented very quickly. Often what you see happen is that an admin will block a user from doing something as soon as they notice the problem, because it can potentially harm the network and the data. Once the threat is gone, the administrative process usually takes place. But with our butt's on the line, we dont have the luxury often times of waiting for a 'suit' to get around to telling them "Hey, dont do that."

 

[Fardringle]

Originally posted by: DidlySquat
lots of people here are power obsessed network admins, whose jobs consists of getting angry everytime there is a problem and blaming the "stupid" users for everything. To make their job easier they keep trying to restrict users, so they can have more time to keep posting infinetly in online forums while they are at their work ("I'm getting paid to surf online and consume the network bandwidth"). People please don't listen to these selfish retards, as they will always side with other admins and try to restrict users. Even here the little spiders try to restrict information about networking just like in kgb controlled soviet russia, this is how these people operate.

Others have said it already, but in this case your nickname is very appropriate. It's obvious that you don't know "Diddly Squat" about what it means to actually manage and run a large network.

Your description of 'network nazis' is just as realistic as saying the police or other public safety officials enforce the laws just because they want to make your life miserable. While this may be true for some people in unique and rare cases, the vast majority of the time the cops pull you over and give you a ticket for speeding or drunk driving or whatever you happen to be doing because YOU ARE BREAKING THE LAW and you are ENDANGERING THE SAFETY OF OTHER PEOPLE AROUND YOU! Speed limits and laws restricting driving while intoxicated or under the influence of narcotic drugs are in place to protect the rest of the public from the idiots that think they are better than everyone else. They are there to make sure everyone else has the ability to use public roads with a reasonable expectation that you aren't going to plow into them going 100 miles per hour or that you aren't going to swerve across five lanes into them because your drunk or stoned mind has no clue where you are.

Yes, it is possible to create regulations that restrict most personal routers and only allow those that are "registered" with the admins. Yes it's possibly to proactively and constantly monitor the network to see if a normally allowed router just might be acting up right now. But these procedures cost a lot of money and time that already seriously overworked and underpaid admins (generally the case on campus networks) simply don't have the time or the resources to do. It's easier to simply say no routers are allowed and avoid the problem entirely so that the admins can spend their time fixing REAL problems instead of having to deal with whiny kids that think they know better than everyone else and want to have their own private network without regard for how it might affect the 50,000 other people on campus that need to use the school's network but can't because someone set up their own router improperly.

If you really do have a legitimate need to use NETBIOS communication in your dorm room, do as others have suggested and get a simple switch that doesn't violate your school's policy and plug your PCs into the switch. The computers will be able to talk to each other, you won't be interfering with the functionality of the school's network, and you won't be violating school policy (which would likely get your network access taken away completely).


As far as your comment that those of us here that work full time as network admins and just happen to stop by here looking for information that we can use as well as opportunities to share our own knowledge wtih others are actively working to keep YOU from knowing anything useful, you obviously have not ever read a single post in any of the technical forums on this message board or any other message board on the Internet. If you are asking for legitimate help, I have not ever found a place with more helpful and knowledgeable people than here on AnandTech. You did ask a legitimate question in your original post, but when you got the real, right answer, you assumed that since we told you not to violate your school's policy that it must be because we are in cahoots with the evil Big Brother at school that is doing nothing but spending all of his time keeping you from doing something you probably shouldn't be doing (or don't need to be doing) on the school's network anyway...

 

[Thyme]

Firstly, don't assume I agree with anyone else that's posting even if it seems they agree with me. I really don't appreciate the "you" changing from referring to a belligerent idiot to referring to me. I think I have constructed my arguments in a manner that does not warrant you putting me in the same category.

Secondly, for the thousandth time, I am not violating my school's policy. I have not knowingly violated my school's policy. I don't intend to violate my school's policy. Please stop assuming that I'm an arrogant kid who thinks he's the best at everything and doesn't have to listen to anyone. I am simply voicing my opinion and following the rules.

n0cmonkey, there's no reason for you to be so condescending. My solution is to disallow routers by default, but if there is a valid case for needing one, allow it and keep a list. Running checks for routers is not the only proactive method they can and should use. An automated system can be used to check to make sure there are no rogue DHCP servers. Other network issues that can result from routers should also be scanned for. These issues aren't guaranteed to go away just because routers are being disabled. As far as I know (please correct me if I'm wrong), any of the issues from faulty software could be duplicated on normal computers, especially ones infected with viruses (as an aside, they currently check for "botnet" viruses, but I don't know what method they are using). The security should be in place to discover all potential network problems regardless if there are routers on the network. If college students are the tinkerers and hackers you (probably rightfully) claim them to be, they will tinker and hack away so that they can get a router undetected and run it anyway. The policy should be strict enough to discourage users who don't really know what they're doing to request to use a router, but not too strict that students dangerously attempt to circumvent the detection. That poses a greater threat than a few allowed routers does since they can found much easier. Either way, the system for identifying issues as a result of either practice should be in place.

Of course, two large issues remain:
1: No system will be perfect for identifying all the possible network issues. This will always be the case, but the better the software, the easier it is for the network admins to fix the problems that aren't automatically being detected. Regardless, a no router policy is not likely to eliminate the need for a comprehensive solution.
2: There may not be pre-existing software solutions for this type of monitoring. As has been mentioned, network admins are lacking in time. Still, developing this software would not be wasted time as it would result in a viable product that may be used in other schools and generally reduce the amount of work network admins have at all schools (including mine). Additionally, there are plenty of students (especially those knowing more than I presently do) who would likely be able to aid. This would promote the dual goals of a more secure network and more educated students.


Unlike DidlySquat, I have no animosity towards network admins who are doing their best to serve the students of the university. I don't, however, think our admins are doing the best they can. There was no attempt to make an incremental policy to address network problems and I think in the long run, students circumventing the detection system are going to cause more harm than if they were allowed to have routers if needed. (Again, I am not one of those--I have abided by their rules and continue to do so, despite not agreeing with them.) Also, this is not the only thing they do that makes me believe what

 

[Boscoh]

Originally posted by: Thyme
Firstly, don't assume I agree with anyone else that's posting even if it seems they agree with me. I really don't appreciate the "you" changing from referring to a belligerent idiot to referring to me. I think I have constructed my arguments in a manner that does not warrant you putting me in the same category.

I think you've constructed your arguments pretty well, personally.

Of course, two large issues remain:
1: No system will be perfect for identifying all the possible network issues. This will always be the case, but the better the software, the easier it is for the network admins to fix the problems that aren't automatically being detected. Regardless, a no router policy is not likely to eliminate the need for a comprehensive solution.
2: There may not be pre-existing software solutions for this type of monitoring. As has been mentioned, network admins are lacking in time. Still, developing this software would not be wasted time as it would result in a viable product that may be used in other schools and generally reduce the amount of work network admins have at all schools (including mine). Additionally, there are plenty of students (especially those knowing more than I presently do) who would likely be able to aid. This would promote the dual goals of a more secure network and more educated students.

You dont really need "software"...eliminating routers can be done fairly easily by making some configuration changes on the school's side of the port, some of which cannot easily be circumvented.

Other than that, all you need is some scripts to collect/parse stats from the school's switch and that is pretty much it. It isnt hard to determine when there is a router or switch on the other side of a port.

 

[Thyme]

I don't mean software for scripts for simple router detection. That is easy to do. I am talking about detecting the actual problems (and where they're coming from) as opposed to detecting devices that could potentially cause them.

 

[spidey07]

Thyme,

The thing is the methods you describe cost money and even more so they have an ongoing cost of maintainingg said systems. There is a general rule of thumb that network hardware is about 15% of the total cost of ownership of running a large network. Good mangement/security systems run about another 15%. The rest is ongoing personel and operating expense.

What I'm really trying to get at here is there is a substancial cost associated with a medium to large size network. I'm not trying to brag but my services cost 175 bucks an hour and to truly maintain a good sized campus network you need about 2 of me. To maintain a highly secure network that combats the use of active network gear requires a whole heck of a lot of very bright people and the money to pay them with.

There are decisions that are made that have little to do with the technical feasibility of a solution. What 'can' be done and what 'should' be done often conflict with each other. Even as a hard core network architect I have to make decisions based on money. I have to run financial analysis on "allow routers or don't allow routers" and in the end when you factor in all the cases the policies of the uni are most likely a result of "it costs less to take this approach"

Hope that provides some insight for you. It took me a long time to figure out that "it all comes down to money"

 

[spidey07]

Originally posted by: Thyme
I don't mean software for scripts for simple router detection. That is easy to do. I am talking about detecting the actual problems (and where they're coming from) as opposed to detecting devices that could potentially cause them.

The intelligence that you are describing does not exist. Not in the public sector.

 

[spidey07]

Originally posted by: Boscoh

Originally posted by: Thyme
Firstly, don't assume I agree with anyone else that's posting even if it seems they agree with me. I really don't appreciate the "you" changing from referring to a belligerent idiot to referring to me. I think I have constructed my arguments in a manner that does not warrant you putting me in the same category.

I think you've constructed your arguments pretty well, personally.

Of course, two large issues remain:
1: No system will be perfect for identifying all the possible network issues. This will always be the case, but the better the software, the easier it is for the network admins to fix the problems that aren't automatically being detected. Regardless, a no router policy is not likely to eliminate the need for a comprehensive solution.
2: There may not be pre-existing software solutions for this type of monitoring. As has been mentioned, network admins are lacking in time. Still, developing this software would not be wasted time as it would result in a viable product that may be used in other schools and generally reduce the amount of work network admins have at all schools (including mine). Additionally, there are plenty of students (especially those knowing more than I presently do) who would likely be able to aid. This would promote the dual goals of a more secure network and more educated students.

You dont really need "software"...eliminating routers can be done fairly easily by making some configuration changes on the school's side of the port, some of which cannot easily be circumvented.

Other than that, all you need is some scripts to collect/parse stats from the school's switch and that is pretty much it. It isnt hard to determine when there is a router or switch on the other side of a port.

To that point...

You can easily take down an entire subnet unless the most severe of security measures are put in place. Once that happens level 1-3 support can't find it. After 3-4 hours of troubleshooting it may be resolved.

Once the switch/router is down whatever management systems you have are useless because you can no longer reach that building/subnet/floor/whatever.

 

[Fardringle]

Originally posted by: Thyme
Firstly, don't assume I agree with anyone else that's posting even if it seems they agree with me. I really don't appreciate the "you" changing from referring to a belligerent idiot to referring to me. I think I have constructed my arguments in a manner that does not warrant you putting me in the same category.

Secondly, for the thousandth time, I am not violating my school's policy. I have not knowingly violated my school's policy. I don't intend to violate my school's policy. Please stop assuming that I'm an arrogant kid who thinks he's the best at everything and doesn't have to listen to anyone. I am simply voicing my opinion and following the rules.

I apologize if my comments in any way appeared that I was saying you were a whiny or arrogant kid, Thyme. I was not pointing any of my comments directly at you except for ht part about using a switch sinc you are not allowed to use a router. My remarks about whiny kids thinking they're better than "the system" was a reply to DidlySquat's comment that the only purpose of a network admin is to make his life miserable by keeping him from doing anything he wants to any time he wants to. It's attitudes like that that often make us implement policies like these in the first place.

I appreciate that you are not violating the school's policy. Working within the rules makes it a lot easier for the admins to do their jobs with the limited time and resources that they have available to them. While your suggestion to restrict all routers by default and then allow exceptions as needed sounds great in theory, in reality there usually just aren't enough resources available to make it work properly. Also, unfortunately, there are too many cases where legitimate exceptions to the rules are allowed and they are expanded (mostly because of whiners that complain "He gets to, why can't I?") to the point where there are more exceptions than restrictions and the network ends up having all of the problems that the original policy was trying to prevent.



Edited to fix some typos...

 

[Boscoh]

Originally posted by: spidey07


To that point...

You can easily take down an entire subnet unless the most severe of security measures are put in place. Once that happens level 1-3 support can't find it. After 3-4 hours of troubleshooting it may be resolved.

Once the switch/router is down whatever management systems you have are useless because you can no longer reach that building/subnet/floor/whatever.

Indeed. I demonstrated this to my boss at work when he wanted to know why we should not put dumb unmanaged switches in users offices that had more than one computer and not physically secure them. We had to reboot a couple machines and reset some traffic graphs when I was done proving my point 😉.

 

[Imdmn04]

Can't you just clone your PC MAC as your router MAC?

 

[n0cmonkey]

Originally posted by: Imdmn04
Can't you just clone your PC MAC as your router MAC?

That, in effect, solves nothing. Detecting the presence of a router is still possible, and pretty trivial. 🙂

 

[n0cmonkey]

Sorry for sounding condecending. It's a bad habit. 🙂

The intelligence you want isn't quite there yet. It's being worked on by some of the biggest names, for some of the biggest dollars. :Q

 

[Imdmn04]

Originally posted by: n0cmonkey

Originally posted by: Imdmn04
Can't you just clone your PC MAC as your router MAC?

That, in effect, solves nothing. Detecting the presence of a router is still possible, and pretty trivial. 🙂

Trivial as in very easy to detect? Or trivial as in one can do it, but it cost a lot of time and effort in detecting, and therefore such enforcements will not be economically viable for a large university?

The reason I ask this is because I don't think there is a relatively easy way to enforce the no router policy if somebody set it up in the right way. You can analyze the packet sequence numbers from the traffic behind a NAT enabled router, but that typically only works if the user is running a windows box, and that is also way too much work for a typical university NOC to handle.

 

[n0cmonkey]

Originally posted by: Imdmn04
Trivial as in very easy to detect? Or trivial as in one can do it, but it cost a lot of time and effort in detecting, and therefore such enforcements will not be economically viable for a large university?

The reason I ask this is because I don't think there is a relatively easy way to enforce the no router policy if somebody set it up in the right way. You can analyze the packet sequence numbers from the traffic behind a NAT enabled router, but that typically only works if the user is running a windows box, and that is also way too much work for a typical university NOC to handle.

Trivial as in easy to detect in most cases. Obviously, you can do work to make it harder to detect, but I'm not sure how prevelant that work really is in the wild wild interweb.

I kind of remember hearing that you can setup some of the detection methods on the switches, so the port goes down when the device triggers a rule. But I could be wrong.

 

[spidey07]

IDS sensors can be configured to detect them and shut down or shun the port.

In a large campus network you would have IDS sensors at each IDF or building watching anything to/from the individual building subnets.