Packet Filter On University Network 36
sachsmachine explains: "I'm a student at a major university where the network admins are thinking of moving to a packet filtering system, one that would block non-university computers from connecting to machines on the student subnets. There will be a meeting to discuss the proposal on Tuesday, but to be fully prepared going in, I'd like to be sure what impacts the move would have. Some of the things that might be broken (depending on what ports get left open) are pretty clear -- remote logins of various sorts, file sharing, Web sharing, instant messaging, Napster and everything else P2P -- but are there any important/unusual/cool/academically useful applications whose ports we should lobby to protect?" By the nature of university (and corporate) rule making, once a policy is in place, it's much harder to dislodge or amend than it might be beforehand. Steve has listed a fair number of applications which could be tossed out by this; how would you suggest saving university bandwidth without losing them all? How would you convince a skeptical audience that remote access is not all of a piece?
Re:And the problem is??? (Score:1)
Oooh, 4 whole megabytes! The pictures of my friends could take up more than that.
No CGI. No direct access either, ftp is the only way. And that works only if your ISP has DNS set up correctly (which they should anyway, but...). And the policies say "personal homepages only", I guess I can't mention my web design business. And if you make a great personal site that people will actually want to see, you'll get access revoked due to bandwidth usage.
And, of course, you're missing the possibility of other services. Universty email isn't always sufficient ("What? I can't recieve that patch because the university truncates large attachments?"). Student ftp is rare and cvs is nonexistant, if you want that kind of thing. Databases are unlikely. ssh is impossible when you're off-campus for the weekend or on a job/project. Many irc networks require an identd response, can't get that with no connections. Basically any userland P2P would be broken.
Maybe this is ok for the "normal" people who only use their computers for LookOut and Internet Exploiter, but a good number of us aren't "normal" in that way. It's not a smart move, it's a cheap-and-easy copout.
And the problem is??? (Score:1)
This is a smart move by the Universtity to keep their network under some control.
Re:And the problem is??? (Score:1)
Re:And the problem is??? (Score:1)
That's what hosting companies are for. Schools are in not the business for hosting your web site.
And the policies say "personal homepages only", I guess I can't mention my web design business.
Go ahead and mention it. But don't expect the school (and possible taxpayer money) to pay for you network admin/bacndwidth needs to support your business. If you are hosting something worthy - the University should be able to make an exception. Or maybe someone else will notice its worthiness and host it for you.
What? I can't recieve that patch because the university truncates large attachments
If someone is sending something that big - shouldn't it be hosted somewhere? If that someone is on campus - they could still host their own ftp server for you to see.
Databases are unlikely
Most people don't let their database bases open for connections from anywhere. Your student subnet should be plenty.
ssh is impossible when you're off-campus for the weekend or on a job/project
With that net setup - you should be able to SSH out - not in, no problem there.
Packeteer (Score:1)
Very very cool box for bandwidth management...
Re:Public University (Score:1)
One of our netadmins ran the budget analysis, and for unlimited access, every dorm resident would need to fork over $150/year above and beyond current housing rates (~$5600/yr). That's assuming everyone pays. Figuring an average of one computer per dorm room, that amount nearly doubles.
As it was, at peak times, Napster alone was accounting for over 60% of outbound traffic on our commodity links (non-Internet2).
Re:Make your case with legit reasons (Score:1)
it would be easier to convince network admins to let http through. ftp is a bitch to firewall properly, since in normal mode it opens a connection back to the client. If i remember right, though, passive mode makes a firewall around the server a pain.
in addition to all that complexity, a lot of linux distros, particularly when the it's not the most recent version, come with massively vulnerable ftp daemons. if somebody manages a root shell, then the firewall doesn't offer any protection anyway. just bandwidth limitation. and who wants rooted boxes on their network anyway?
My experiance with university firewalls (Score:1)
I did a little bit of testing of the firewall. A portscan from an outside system showed that all 65535 TCP ports were filtered. Great. I now have trouble connecting to things like IRC (can't connect to EFnet at all, because they REQUIRE an ident response). I finally found a way to redirect my campus mail box to my server. I can SSH into my box by hopping through the CS server. That's really all I need. I'm currently talking to administration about getting those three ports opened up, but I haven't heard anything for a couple of weeks now. We shall see what happens.
Re:Easy answer (Score:1)
Re:Arguing for services (Score:1)
Student's Political Speech (Score:1)
Since the Ubiversity has a monopoly on connectivity in residence halls, that is Students' homes, the bandwidth is arguably more apt than the servers to qualify as a Public Forum, and thus should be open to Students' own webservers.
Re:And the problem is??? (Score:1)
I also can connect back to my server to grab the data anywhere I have a internet connection, so it doesn't matter where I am, I can get at it.
Re:Remember FTP! (Score:1)
Re:Remember FTP! (Score:1)
Re:And the problem is??? (Score:1)
My experiance (Score:1)
Re:Public University (Score:1)
Sounds like UIUC should be giving that bandwidth to the students instead of reselling it. I'm horrified to hear there's a public university using tax money to compete with commercial providers of ISP POPs.
Tactics that I would suggest.. (Score:1)
First, point out that there are legitimate, academics-enhancing usages of an unrestricted LAN -- i.e. things other than Napster. I keep an FTP and VNC server running on my computer -- well locked down, of course -- so that I can access files and resources on my computer when I'm in a lab or something. Given that university computers don't generally have a CD-RW drive and many files are too big for floppies these days, it is a great help. Furthermore, if you are working on a networked academic project -- which is just going to increase in the comming years -- it is extremely useful to not have to wory about it being locked down. And them just filtering from the public Internet isn't going to help, as that will prevent anybody who doesn't live on campus from aiding development of networked projects.
The second prong is more legal and philisophical. You want them to make sure that they are not going to be acting like your personal monitor. This destroys student academic freedom and exposes them to a lot of liability. Once they start blocking incomming connections, the route to first blocking porn sites, then "Objectionable" sites, and then you get the picture after that.
Gnutella File Sharing Will Still Work (Score:1)
These types of actions will however degrade the Gnutella network if everyone adopts them. To some extent, there is a slight shortage of available "Incoming" connections. The network relies on those able to accept incoming connections to do so rather than make outgoing ones. Both types of connections work the same regardless. See Gnutelliums [gnutelliums.com]
More Information Needed (Score:1)
It is advisable, however, to shut off some TCP ports, especially those over 10000, and to limit the number of UDP ports offered at all.
Attend the meetings and find out what the central administration has in mind. Once you know where they are willing to draw the line, you can more easily negotiate opening more ports. Once the policy is written, however, it will be harder than hell to change.
Public University (Score:2)
Both have said that as public universities, they will not filter content, and if they need more bandwidth, then they will get it. (I assume, to a point)
At my private university, the student government has a major role in the network (or can if it wants to) -- so if the suit behind the admins is making poor choices that aren't what the student body wants, chances aren't that slim that said suit will be looking for work. Our school actually passed a resolution to the effect that nothing can be done to the network which inhibits students ability to use the internet just as if they were using an ISP. (since the university is our ISP) -- since then, many of the filters and packet shapers have disappeared almost completely.
-Davidu
Re:Remember FTP! (Score:2)
Certainly there are useful reasons. For example, I've got PHP and MySQL on my personal machine, whereas the standard university servers that I have access to do not. I was thus able to develop and demo a web application for a volunteer cause, show it to them, and make changes before obtaining the permanent box (outside of the university) that it'll run on.
// mlc, user 16290
--
Many cases the University is justified (Score:2)
I don't know what the case is for American Universities, but nowadays in Britain, the Unis are coming under tighter and tighter financial restraints. Many universities probably don't mind too much about people using the available bandwidth in moderation, but these kind of abuses of the priviledge (and it is a priviledge to use to the Uni network for non-academic purposes), make it impossible to justify why free access should be given when there is no (financial) need for it -especially when cash-constricted departments are having to bear the cost of non academic browsing, without having money available to pay for it - which was less of a problem in the older days, when money was flowing more freely within the universities, and general network usage was lower.....
Try to understand the awkward position that many of these universities are in in this respect. Often, it not necessarily the desire to curtail the usage of the network out of badness that is the problem, but external influences such as cost and protecting themselves from prosecution, which the Universities don't have to resources to meet.
Conference and IP-by-phone (Score:2)
Real life example: My brother's GF is Peruvian and regularly uses ICQ and NetMeeting to keep in touch with Lima from Canada. We spend 90 min on the webcam last New Year's eve; something impossible with a telephone. I dare not think how much that would've cost in LD charges.
---
Three problems (Score:2)
The university's actions will certainly impose a modest burden on the student's political speech, but it doesn't seem to be an unreasonable one.
Re:Conference and IP-by-phone (Score:2)
You're probably stuck (Score:2)
What it will do is shut down most of the pirates, which is probably why their doing it, and napster.
Most universities pay discounted rates for their net connections, but some of the stipulations are that it only be used for educational purposes, and maybe a bandwidth limit. Lots of incoming traffic to the student net most likely means stuff is going on that shouldn't be.
Probably your only real argument will be simply that in a university environment, you shouldn't restrict stuff because of free expression, blah blah blah... oh, and "once you do this, where does it end?"
Re:Remember FTP! (Score:2)
Four or five years ago the current employer decided to sell firewalls. They put one in place at work to test it out, and caused all FTP access from a browser to be broken for at least 3 months, made worse by our major supplier using FTP urls in their call logging system. (To download a file we had to browse the web source and manually grab the file by a command-line FTP client which worked vua the other method).
The team responsible for selling these firewalls never managed to fix it. In the end one of my collegues got hold of the firewall password and fixed in in a few seconds. I think this team only managed to sell 3, and all of the cancelled the support contract within 6 months.
Easy answer (Score:2)
The problem with capped Karma is it only goes down...
Re:Arguing for services (Score:2)
Everywhere I've seen (granted that comes to about 10 universities total) students are required to fill out a form acknowledging not to do anything particularly bad before they can plug in. This could be handled when they're picking their login ID (and if your school doesn't let people pick their own login IDs either, well, I guess we have nothing further to talk about. Hmph.).
In any case, it could be done online with - get this - electronic forms. Cost pretty much approaches zero. The list of who goes where can be fed by a web app into the DHCP server. Likewise they get automatically dumped onto the mailing list. A machine runs nessus against the machines in the no-filter pool, dumps the results to a $9/hr work study student, who sifts through and picks out the ones with lots of red, which are handed to a $12/hr student consultant. This is a dirt-cheap project.
Re:Arguing for services (Score:2)
If they were trying to protect students, there would be a space on the dorm ethernet sign-up form that said:
Student machines would be tossed into one of two address pools depending on their answer.
All they're trying to protect are their own behinds and budgets, at the expense of the students' learning environment.
Remember FTP! (Score:3)
While it is true that many firewalls have logic to allow this, simple packet filters do not and can not - you have to allow anything with a SOURCE port of 20 to connect to ANY high numbered port. But, this argument against packet filters only works if they really are using a packet filter - and not some sort of smart firewall.
As far as a university denying connections, make sure that there is some way to gain exceptions to this policy, just in case there are accademic reasons for doing something down the road. For instance, they could require a proposal signed off by a department head, which indicates the academic value of opening the port and what precautions you are taking against abuse.
Sadly, though, my guess is that there aren't too many accademic reasons for putting a server in your dorm room instead of using a university managed server - other than to try to put up a server which doesn't fall under the normal AUP. Sure, it's a fun project and teaches a lot about administration - but it provides little academic gain that setting up a university-wide-only server would not.
Find out what their reasons for doing this are. Are they trying to reduce a security threat? Or is it really bandwidth? Make sure your argument addresses their - legitimate - concerns.
Arguing for services (Score:3)
To make an assessment of how you should approach them, you need to know what their motivation is for doing the packet filtering. Is it for security? Is it to limit bandwidth consumption for nonacademic purposes? Is it to stop piracy? Knowing their reasons will help you make your arguments for allowing those services you want.
Now, if it's being done for security reasons, you'll have to argue that the services you want to keep open don't provide a security threat. Maybe get some statistics on number of attacks that utilize the different ports you're after.
If piracy (software, music, whatever) is their reason, you'd want to demonstrate the academic uses for what they're trying to block. In this case you're probably SOL on Napster, but you might get FTP to fly. The only "academic" use I can think of for Napster is a Music Performance major who makes his personal works/performances available through Napster. Show the legit uses for the medium.
Bandwidth consumption is a sticky issue. You'll again have to show an academic need for the service, but also that it does not consume an unacceptable amount of bandwidth. Maybe get some logging statistics for the network, find out what protocols are hogging the network; are the problems being caused by only a few people? There are better ways to control bandwidth use than wholesale blocking incoming packets.
As for "what ports to keep open," the easiest thing to do is survey the students on what network programs they use. It's easier to argue that X should be open because lots of students use it than some obscure program with limited value to the community from keeping it open.
It's really not so important what ports are open now as that there is a means of petitioning for ports to be opened in the future. That will allow you to make changes as new programs are developed using new ports.
Good luck, I hope they consider your case well.
If All Else Fails, Be Creative (Score:3)
Being a fellow college student who spends most of his time doing computer stuff (yes I am guilty of being a CS major), I share your fears. I didnt like it when they blocked Napster- unfortunatly they had a good reason-bandwidth. We tried going to the Admins but were denied. Luckily, being the good CS geeks that we are, we found ways around it.
When you go before the Admin group at school, have your battle plan laid out. Know your strong points and be able to defend your weak points. Be sure to bring friends who share your concerns. If your Teachers agree with you, bring them along too. The bigger your group and more importantly, the better your arguments are, the better off you look to those in charge. If they see that you are not alone they will be more likely to deal fairly with you. Even if your solid, logical approach at this meeting fails, get creative. If the packet filter gets installed, experiment with different ways of getting around it. Now, I am in NO way promoting the idea of doing any type of damage to it or even causing more work for the admins., but see if there are certain things the filter misses. When you find that out you may be able to use it to your advantage. Just remember, try the system first (it may actually work) but there are always other ways.
Make your case with legit reasons (Score:4)
is imply that you are using the network connection for anything other than direct academic uses.
SSH/telnet ports should be easy to keep open. Explain that you're using them for remote access to email or whatever.
Many students put up personal webpages for their job search - resumes, downloadable snipepts of code, etc. Point out that that will be gone.
Pick your battles, though. You may not win on http, but shoot for ftp, or vice versa. Don't throw down over Napster or the like,
becase from an academic standpoint, there is not much use.
Good luck!
Re:Remember FTP! (Score:4)
I couldn't disagree more. Almost all of the current crop of gifted internet technicians (at least those that I'm aware of) learned their stuff by running servers in their college dorm rooms. Throwing static HTML up on a central web server isn't even the same ball game.
I would furthermore suggest that any university that imposes restrictions such as those mooted in this article is not serious about providing residence hall internet access as an academic resource, and is instead doing it for one of three reasons:
Sure there's abuse. So throw on some rate limiters. What's far more important is the amazing collaborative learning that takes place in this environment; students with no technological ability learning from others how to become content providers and participants in the internet information space just like huge corporations (CNN, Amazon, etc). It's empowering, it's educational, it's a crucial step toward preparing students for the real digital world past the campus gates.
As an undergrad, I attended a university with a strong technological focus and a solid commitment to exposing students to IT (U of Michigan). When I look at my classmates, and compare them to less fortunate students at other schools, the difference is shocking. My fellow alum are totally comfortable with email, with the web, with their computers, with the changes in the world around them. Ten years later I went to grad school at a university with basically no on-campus technology (Yale; though they have finally wired most of the dorms at least). Ten years later, with all this technology supposedly so much more pervasive, and the students at Yale don't have anywhere near the comfort with it. They're intimidated by computers, and just as important, they're BAD at using them.