P2P Programs on K-12 Networks?

deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"

Judicious use of DUMMYNET

[rhizome]

Use a FreeBSD gateway machine with DUMMYNET. FreeBSD can be configured so that it: a) doesn't have to replace the existing firewall; and b) is invisible so it doesn't show up on traceroutes. This is so that clueful users are not tipped off in a way that lets them complain like pornhounds on a free NNTP service. DUMMYNET will let you set up bandwidth policies based on (groups of) IPs, ports, and more. Client subnets can have full bandwidth on port 80, but the gateway can shut them down to 28.8 on the P2P ports. The possibilities are really open in a situation like this, and any junk computer can be used.

Re:Go to Administration

[jvbunte]

I have worked for a local ISD (Intermediate School District) for K12 and I had to deal with the same problem on a countywide basis. Your best bet is to bring the problem to the attention of your school principal or superintendant. What I did was firewall it all, lock everything down except outgoing WWW and Mail (and some other misc specicialized stuff) and as the complaints rolled in (and they will) I simply told them that if they can justify the need/use to the superintendant of the school and the superintendant authorized it, I'd be happy to reopen the service. The key is shifting the authority to re-open the service from you to the people in charge. I'd be willing to be you won't find one teacher who will ask his boss (the superintendant) to allow them to use a warez/porn/whatever P2P program.

Educate the superintendant on how those things are costing money, whether its lost productivity, money spent cleaning up the virus mess, whatever. Every K12 institution in the USA's main priority is MONEY (Education is an end, not means). I would also look into the laws governing content in K12 environment. I know in Michigan, there is a law called the Childrens Internet Protection Act which stated that all publicly accessed computers within the school must have content filtering enabled in order to qualify for several popular grants (a source of free money from the state). Explain that the lack of content filtering (this is pretty broad, you can extrapolate this to include P2P I'm sure) can jeopardize some serious grant money or prevent you from qualifying for it at all.

Last but not least, leave everything open the way it is and install some traffic logging. Anonymously log traffic going to www/porn/whatever and if possible, log the traffic lost to P2P and present that evidence to the Principal/Superintendant/SchoolBoard (School Board Meetings are public forums, you probably need to get on the agenda ahead of time however they have to let you speak) and show them the stats. Even if its "10% of all web traffic from this K12 school is to WWW Porn Sites, 20% is P2P filesharing with no educational benefit" and you have documentation for it, they will not ignore it. Always document everything and Cover Your Own Ass.

Cite Examples (Especially Other Academic Spots)

[Chibi]

This is mostly about how to bring this topic to the attention of your supervisors, since if your users are already saying there's no official policy against using p2p apps, they'll likely to just tell you to get bent on further discussion.

Over the past year or so, there have been plenty of universities that have made decisions on P2P apps, going in both directions. You can use some of these instituions as examples of why you need to police this kind of traffic. Bring up the same reasons that these universities did, and that you brought up in your question (mainly legal protection and consumption of resources).

Here are a few examples:

• Bandwidth Demand at American Universities [slashdot.org]
  
• Working With The Bandwidth Problem? [slashdot.org]
  

There are also articles on other sites that list some of the universites that have banned Napster. Here's one article: http://www.ecommercetimes.com/perl/story/4172.html [ecommercetimes.com] . They mention the following universities: Kent State, Rice, Seton Hall and Villanova. I'm sure there are others.

You can argue that if these major universities with plenty of money can't handle this traffic, how is your small public school district supposed to handle it? Hopefully, the money argument will help you out.

One final thing you can do (and this is fighting dirty), is point out how much pr0n is out there on p2p apps. That should get someone's attention.

High and mighty systems admins

[intuition]

What is it about systems administration that makes people all high and mighty all of a sudden.

There are reasons that this administrator can't arbitrarily set policies or change things according to his own whim. Now, if his job was to set up initial access to the internet, perhaps it would of been more appropriate (but not completely) in so far as a exercising certain level of discretion in how the connection to the internet is structured (proxies/firewalls/etc/).

However, the system is in a steady state, and this administrator has no basis to change it. Its (in all likelyhood) not this administrator's job to manage legal liability or even determine if p2p applications are an appropriate use.

Just as teachers can't change their curriculms as they see fit, without some oversight by the administration - administrator's have no right to make these kinds of decisions based on "what they feel is best."

The administrator however is completely within the realm of what is right and proper to make an observation, (p2p is consuming all our resources), and share it with those people that are in a position to change policy. If you really feel p2p is this horrible, find some users who are affected by it (complain they can't use or their use is substantially affected by p2p traffic.) Bottom line is, if upper management doesn't care, you shouldn't either. Run the network with a hands off approach, much like slashdot does with its comments section. If there are technical problems fix them, if there are ethical problems save the decision making to the people whose responsibility it is to make these decisions.

Re:Ask your supervisor this:

[kmactane]

> i'm not aware of any pedestrians being run over by a computer being used by some kid.

You mean you've never heard of some poor innocent person getting DDoSed halfway to eternity... by a bunch of Winboxen on cable modem hookups, that had been cracked by skr1pt kiddies?

Heck, Yahoo got knocked flat by DDoS. And where did the skript kidZ get the systems they used for it? Simple: those systems were left wide open by people just like the ones that are causing the questioner so much grief: people who will download any virus-laden executable they can get their hands on.

On a global network, one person's insecure box is everyone else's potential attacker.

Novell BorderManager

[cscx]

Great caching proxy server + firewall combo. Very tricky to set up, but allows auth on a per-user basis if needed. Also gets you a subscription to CyberPatrol to block "objectionable" sites if need be. The firewall is pretty good, just remember to turn off dynamic NAT or you're back to square one (duh).

How We Do It - K-12

[JLester]

As Manager of Technology for a K-12 school division, I can tell you how we do it. First of all, your system should have an Acceptable Use Policy (AUP). Students and parents should receive a copy of it each year during registration. Ours is included in the Parent/Student Handbook. All students who use the Internet must have a signed form from their parents granting privileges. Ours includes language that states that Internet access is for educational use only! Even though it isn't strictly enforced (we do allow entertainment sites for example), that language is there to back us up on content and P2P decisions.

Since students and teachers use the same network and computers, all are subject to the same policies and filters. We transparent proxy all requests to port 80 and 554 through iPrisms which filter and then pass the request on to a Squid proxy that generally runs at about a 40% hit ratio. All other Internet traffic passes through our Cisco firewall which performs NAT based on an access list. That access list denies NAT for all the popular instant messaging and P2P applications. Since all computer addresses are private, no NAT means no access. Instant messaging is blocked after an incident where a bomb threat came in that was untraceable according to AOL. P2P filtering is obvious due to copyright violations and bandwidth usage. It is interesting to watch the hits on our access lists from P2P apps that are denied. Kazaa seems to be the most popular, we block several million Kazaa packets each week.

That's how we do it, if you have any questions, let me know.

Jason

Re:Filtering/Throttling

[singularity]

This past weekend I was speaking with a friend who mentioned that his company had gone to a policy like this. They printed out a simple report that showed the top ten users of bandwidth at each location and the top ten domains that each person was accessing.

The reports were made available to all company employees (I do not remember if they posted the information or just distributed it).

He said that the total bandwidth used at each site had dropped dramatically.

I imagine this system would also help get people to log off the system when not using it, since they do not want someone using a computer while they are logged in to access porn and use bandwidth.

I think this system, combined with blocking several ports used by P2P systems, is the best way of dealing with it.

Re:various options we've considered.

[JLester]

I-Gear has gone way downhill over the past couple of years and has driven off many school systems including mine. Their Linux version never ran properly on a multi-processor server. With no support for load-balancing and sharing of user accounts, that was a killer for a large system. If that wasn't bad enough, their support really went in the crapper when Symantec bought them out. I used to be able to talk to the programmers directly when we had a problem. Now, the support people don't have a clue about Linux or Solaris. Their DDR and auto-lock features are excellent, but the company has spoiled us on their product for good now.

Jason

Please don't go the way my school did.

[Anonymous Coward]

I am a freshman in a TN high school. Aparently, the teachers all run napster during its glory. Now all of the traffic must go through a single 486 running NT4 as a proxy. It wouldn't be so bad if the proxy worked, and we also had an ssh proxy and X servers on all the computers, but it doesn't, and we don't. I am currently experimenting with getting a command prompt through the http proxy, but I shouldn't have to. I will probably smuggle a laptop in and nmap the proxy when I get a chance, but this is all so rediculus. How would I contact the person in charge of the school network?

Re:Filtering/Throttling

[hendridm]

Our school uses a more gradual approach. I'm not sure how it works, but every connection to the Internet through the school is given full throughput. Some script monitors usage over time and throttles your throughput down to almost nothing on all ports when it "senses" heavy bandwidth. If I left my P2P software on full, it would take about 1-2 hours before my connection would be nothing. Changing my IP address works, but I have to hard-code it and change it often, and it conflicts with DHCP leases. It sucks that it kills all ports!

Once your usage begins to go down, it increases your throughput.

Probably the worst part is that it also throttles the off campus cable modem users who are connected through the University (and pay $30/month). You can get around it by paying $50/month, but most people deal with it for the discounted $30/month access.

Re:If they're K-12 teachers...

[Anonymous Coward]

Okay, I AM a K-12 teacher, and one of the problems is we have heavy-handed network admins shutting off random ports and websites without ever asking what they are being used for.

For instance, I teach my econ. kids about napster and p2p and the concerns that raises to copyright laws. Then we go and experiment with it.

I teach my computer class about yahoo, hotmail, and other services that they can access from comptuers once they leave the school.

But some tech, 50 miels away, in the (los angeles) district office has decided to start blocking my access. Every day I play a cat and mouse game with someone I don't even know, because nobody from the administration will tell me who is blocking me.

All I ask is there be some failsafe built in, to allow teachers will real uses for certain services to teach their kids.

Deep Freeze

[Anonymous Coward]

I didn't bother to wade through most the messages, so this might have been said, but

My school uses a program called Deep Freeze, what it does is it stores an image of the computer as the Admin sets it, and then when a user logs off all changes made are undone and it's restored to the image.

When students (and teachers) have to save a file, it's done on a seperate fileserver. It's mildly inconvenient for we students, but tech people don't have to reformat every computer once a month anymore.

i found this review of it: http://www.ncesd.org/etsc/etug/pricelists/DEEP%20F REEZE.htm and here's another site with some info: http://www.winselect.com

Re:introducing virii? Inconsistent.

[Anonymous Coward]

Virii is the plural of 'vir'. That means 'Man' in Latin. Virii means 'men'. 'Virus' in Latin was intrinsically plural--There is no word 'virii' in Latin referring to 'virus'. The English version is singular. Therefore, you treat it like any other English word, and use 'viruses'

Re:Filtering/Throttling

[bloggins02]

Ok, I'm being pedantic with myself, but that should read: "Any simply connected closed 3-manifold is homeomorphic to the 3-sphere." This is, of course, the Poincaire Conjecture.

Re:If they're K-12 teachers...

[rowdent]

At the high school I used to attend, the board techies once blocked all common incoming ports (ie. ftp, sendmail, telnet) except 80 out of spite because we had a linux server serving webpages that students and staff created as well as the official school website. They even denied doing this until we asked them why nobody could remote ftp to upload webpages. They quickly fixed that port, and whenever we needed a service opened we would have to petition them to get it opened. We won an outstanding new project award from the school board as a whole, but all we received from the board techies was strife over the linux machine. Unfortunately a lot of techies tend to hate what they can't understand, but in the case of p2p I can understand the predicament.

Re:If they're K-12 teachers...

[Anonymous Coward]

>>> Well, I got out of high school about 5 years
>>> ago

> Man, glad I put up my AC shields...sorry, it
> ain't flamebait, just the truth. BTW, this is
> the same poster as above, to whom you responded.
[...]

> BTW, my "little brain" is about 3 months away
> from a Ph.D. in Electrical Engineering.

You can get a doctorate in electrical engineering that quickly (5 years from high school)? From where, a Cracker Jack box? Did you respond to one of those college degree spams?

My bullshit detector's going off here. In all likelyhood, you're still *in* high school and one of those "too stupid to live" teachers gave you a bad grade.

P2P in K-12 networks

[thefuckedupgenius]

Although the teacher's attitude towards "piracy" and "stealing" are good, considering the fact that my particular institute of learning has teachers who are, in all honesty, not good enough with the technology to know how to use said programs. But, I've seen the various cases of students downloading BearShare and KaZaA for use on school computers. The point is, people, that this is causing or will cause a severe bottleneck. This isn't fair to the students who have to use the networks for *gasp* school related projects. If everyone's using HD/bandwidth to download illegal files while two or three people are trying to research the science project, the people doing what they're supposed to do aren't gonna get in. So, what I would do in the situation is block the ports, and blame spyware. Make sure to exaggerate about the spyware. Most non-techno savvy teachers will repulse at the thought of KaZaA, Inc. collecting their personal information, and hate junk mail with a passion. Take (albeit, unscrupulously [sp?]) advantage of their relative ignorance here. And block the ports for good measure.
Jesus told you to mod me up.

My two bits.

[_aa_]

I hate firewalls, proxies, and that crap. They don't really stop anything.. they just funnel it all into 1 port. Instead.. I would suggest per user bandwidth/disk quotas. Also.. like lockers.. the systems are school property, not faculty or student. Thus, I don't think there's any right to privacy. Snoop, spy, sniff till your heart's content. As important as I think privacy is, I don't feel it is a right at school or at work. I feel it is a privaledge that can and often is abused. Legality aside, if you're doing something you don't want other people to know about, it's probably not too smart to do it at work or school. Faculty or students can probably look at the post-it note under your keyboard and violate your privacy just as easily as the administration. If you get caught doing something you shouldn't do, you have noone to blame but yourself.

Of course, I would not outlaw all recreational use. If some kids would like to play a spirited match of BZFlag during their lunch break, so be it. Turn students and faculty onto legal ways to enjoy computers. A policy of, "NO FUN 4 U!" will only succeed in turning teachers and students off of computers. There's tons of free fun crap on the net.

P2P at Schools

[KingFoo]

I'm in a similar position regarding P2P software. What we did was install a Packet Shaper [packeteer.com] between our router and out network (It's a 1U box that sits in our rack). It lets us reserve bandwidth and set priorities of what services (so even if Kazaa and Audiogalaxy is able to use all of the availible bandwidth, the packet shaper starts dropping packets for that service. We group all the P2p services together, throttle down the outbound bandwidth for p2p (don't want to pay for bandwidth that my users aren't using), set http as top priority and let them (teachers and students alike) share as much as they want. From the user point of view, the program is very slow. We do get some complaints, but when we explain (and demonstrate) that when the filter is off, then the web stops working (and show some handy charts showing what is using the internet connection) most users understand (even the 15 year olds trying to download LOTR)

Get one of these!!!!!

[Anonymous Coward]

Not the cheapest route (I don't order stuff or do budgets, just admin) but it is the best thing that happened here on campus. 80% used to be going to P2P programs on 6 T1's. I can now consistently pull updates and such at over 100K/sec via FTP/HTTP etc.

http://www.packeteer.com/products/packetshaper/i nd ex.cfm