P2P Programs on K-12 Networks? 602
deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"
If they're K-12 teachers... (Score:0, Insightful)
proxies (Score:4, Insightful)
Filtering/Throttling (Score:5, Insightful)
As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.
--Robert
New hardware (Score:5, Insightful)
You just put in a new firewall that doesn't support such things. Technical limitation, wink wink.
In other words, lock them behind an http only proxy, or whatever other proxies they really need. You aren't a general use ISP.
If they complain, tell them it's impossible to change, due to some complex technical matter. Just mention TCP header length and TTL and their eyes will glaze over as they nod slowly.
Yeah I have a suggestion (Score:5, Insightful)
Hold a meeting with your staff, and explain to them the dangers, liabilities and your other various points. Explain it so THEY will understand what you are talking about, without talking DOWN to them. If they are responsible adults, they will understand and should comply somewhat if not entirely.
I always believe that it is easiest to reason with people before going behind their backs with rules, policies, etc. Once you have an understanding established, then apply some rules and policies, with the backing of the staff.
Beyond that if they won't work with you, then block the common file sharing ports or throttle the bandwidth to their workstations! That will always work!
Acceptable use (Score:5, Insightful)
Find out if your town or county has any kind of acceptable use policy. They probably do. Or, if your school receives state funding, perhaps there is an acceptable use policy at the state level. In short, follow the money and then check for policies.
I'm sure you'll find that what these teachers are doing is not acceptable. Put up a firewall, do what you need to do so that P2P software doesn't work, and when they come and complain point to the policy that defines acceptable use.
Whatever you do, enforce across the board! Don't just block the few teachers that are the problem, block the whole network. That's the best way to stay out of trouble.
Paranoia In Place of Policy (Score:4, Insightful)
A little paranoia goes a long way. And as an added benfit those you don't have to stick up for anything because you're not changing policy at all. You are "executing the due diligence required by law".
Good luck...... (Score:2, Insightful)
Try for an acceptable use policy first. I would recommend you implement it at the beginning of
the next school year (assuming non-year round school here)
Try and get buy in from the high up muckity mucks
and or a technology "team". I went through guiding a whole district onto the internet.
The policy part was the toughest......
I assume we are talking multiple k-12 sites with point to point links? If you do have routers between the schools, you could block most of the ports, (to give you breathing room)
What are you running for OS and Network OS?
Re:Yeah I have a suggestion (Score:3, Insightful)
Point out that bandwidth is like budget. They've all had to cut something so that everyone get some budget, and therefore understand that short budget is a zero-sum game. In this situation, your bandwidth is zero-sum.
make your views knows, give 'em 30 days (Score:2, Insightful)
I sympathise. These people aren't *evil* and they aren't *misguided*, they have just ben (ignored) and allowed to get away with too much useage for too long.
They are intelligent, else they wouldn't be teachers. So be reasonable.
Post something [physical] somewhere [physically] obvious and non-threatening.
'Hi I'm your new sysadmin. Nice to meet y'all. I have a problem: We have xKb/ month for education, and yKb/ month is being taken up with (all the things you are concerned about)
Here are my rules....(name them)
If anyone has a problem with these, I'd be really interested in your thoughts.
You can come find me in room z, or mail me at roomz.wherever
Regards
BOFH (or whatever your real name is)
__
I promise, this will shift 70, 80% of the problem, then you can start to worry about the ones that ignore this.
george
Hmm... (Score:3, Insightful)
You could make the P2P stuff run so slow as to be useless... or you could send your own trojans that will erase the drives of the problem users...or you could send them porn, and get them fired...(oh, and don't get caught doing any of the above.)
Or, perhaps you're just screwed because you're trying to enforce rules where you have no authority to do so. I'm not neccessarily saying you shouldn't have the authority... just that you clearly don't, and any attempt to enforce your idea of policy is bound to cause you trouble. You time is probably best spent figuring out how to get a policy.
Education. (Score:4, Insightful)
I might have gotten something wrong but if you're managing the network, usually it falls within your responsibilities to make sure to implement EVERYTHING (including some policy, or at least submitting them) for the proper operation of the network, which includes both load balancing, security and legality (to a certain extent, at least proving that you thought about it and implemented it to a certain level won't hurt).
Now if we tell you to cut down trees for a paper company and we hand you a kitchen knife, you'll say "you're crazy", well same goes with being an admin, if you're ADMIN and you can't do zit, it's a big issue. If it was a mess before you arrived, probably that the organization was a mess in the first place, I'd document everything, put up a structure of the network and who's responsible for what, limit the number of people that have "power" over the administration because as we all know, the more admins on a box, the more potential problems. So you have to do your part, be professionnal, use people's experience and be opened to suggestion, but at the same time, document every problem, and don't always go to your supervisor saying all of the problems, he's probably already familiar with them, for every problem, bring in a solution or two with arguments and documented facts (and normally supervisors like having a choice and feel like they did the work so... use that to your advantage).
As for the P2P application, I've fixed the problem at work, I've putted QoS and 1-2K/s on the total bandwidth, it's transparent "it's still working so I didn't do anything" and when those dead weights would come and see me "well probably its not optimized for our network structure and I have enough work to do, if this is a priority, go see your manager or big boss". It's politically correct since you didn't block the port and the user has no idea on what's really going on (unless reading slashdot
Good luck.
Re:Filtering/Throttling (Score:1, Insightful)
that's a tough situation (Score:3, Insightful)
In order to get one defined, you need to start talking to administrators. Find out which services they desire to provide and which they don't. Point out that most security and network use policies these days start by defining what you are allowed to do and blocking the rest of the traffic. Put out an request to the staff that they give you a list of applications that they use for purposes of education and then get a group together to review that list. If something strikes you as questionable, ask the person to justify it.
You'll also, more than likely, want to get a list put together of officially supported software and a procedure for getting a piece of software onto the officially supported list. This keeps people from coming to you and saying "I can't download files with Morpheus" because you can just say "Is it on this list? No? Then not my problem." Part of the process of getting something on that list might be a written justification of why it should be there, and for comercial software proof of license.
You don't want to be the only one makeing decisions. You should get a committee together. You'll want an administrator and a staff member on the committee. Decisions about what will and will not be supported will be made by the committee. You need these people because they understand the classroom, that's not your job.
If it comes to it, you might want to take a look at your job description. Figure out what parts of your job you can do, and which parts will need a more defined policy to enable you to do your job properly. This is important -- if your job description says "support educational activities requireing network access and use of the internet," whacking traffic that doesn't fall into those categories is clearly a part of your job as it increases bandwidth availability for educational purposes. When somebody complains, you need something you can point to for the purpose of defending your actions.
Start at the top, schedule some meetings with administrators and express your concerns to them. Most school administrators are reasonable people and when you explain that these things are necessary for a smooth running system they'll understand. Also, most school administrators are scared sh*tless of the words "potential lawsuit", don't be afraid to use it.
Re:Filtering/Throttling (Score:2, Insightful)
Re:I'd Lie like hell... (Score:3, Insightful)
Explaining these things reasonably to users without making them feel like your hating on them is perhaps a better solution. Tell them it's illegal, sometimes they just don't know. If they don't care, as has been pointed out prior to my posting they have no basis to argue with you if/when you block the ports. But tell them it's happening before you do it, or right after you do.
If somebody above you tells you to open the ports or allow the illegal activities to continue, explain to them what kind of ethical, not to mention legal issues they are bringing onto you.
I have at previous jobs had my employers sign written up and sometimes notarized documents saying that it was their decision and their action allowing the illegal activities to continue. (After I said no they got somebody else to do it against my recommendation.)
And one question: Do you like or need this job so badly that you can't explain to them your points of view without fear of losing it?
Computer policy in educational institutions (Score:2, Insightful)
I'm on a county board of education in Calif. Send a note to your supervisor detailing the legal liability your district is in. Perhaps include the latest Microsoft tactics in auditing school districts with a heavy fist.
Tell him this is something which needs to be fixed with a written policy ASAP, or you'll need to go to the board. Tell him you'll be willing to draft this policy. If he and the board have any sense they will thank you. Likely they are all unaware of the legal problems which they could face. Legal problems gets noticed.
RK
Re:Take Charge (Score:5, Insightful)
To the guy in the story,
The first thing you need to do is to write a letter to whoever is directly above you and request that it be forwarded on to administration. Outline your concerns, explain any legal liabilities the school may have, cite lost man hours (translated into $$$) and instructional time caused by what's going on, and be sure to give a way (or ways) the problems can be addressed. If you don't include a potential resolution, then all you will have accomplished is that everyone knows about the problem. If the right people don't get it after you've followed the chain of command, submit it to the school board.
The technical side of this is the easy bit. Get the political support you need from the top and then start to implement. But be sure to do your homework before you start screaming. It'll pay off in the end.
I have worked as a consultant to quite a few K12 IT Directors who were in the same situation that you are in. This path usually works. However, some school districts want their teachers to be able to do whatever they want. If that's the District's opinion, and you can't just pack up and go elsewhere, make sure to do a good job of CYA.
Good luck!
.
Re:New hardware (Score:4, Insightful)
From years as a government worker, I have noticed that if you really want change, break something and blame it on the users.
Your systems are in chaos? Good! Stop pushing anti-virus updates, stop pushing win32 hotfixes, tftp a known bad image to your premise router, secretly push installs of quake3 and UT to all the workstations. If the users ask, say that their systems need to be reloaded to make things better.
If they will let you install Linux, do it! If not, install win2k and all the updates. Add the user to the box as a USER and remove USER permissions to WRITE anywhere but their desktop.
When they ask what is going on with the ability to install stuff, LIE...a lot. Claim that the latest hotfixes from M$ implement a security policy on corporate systems that only allow apps to be remotely installed from the Domain Application Server.
In short, users expect to be lied to and they want their computers to be fast and reliable. They want their Net(not)work(tm) to actually pass packets via some type of IT system and not have to be hand-carried via a Cuban waterboy. In your situation, the users needs and expectations are converging. Take advantage of the situation and become...The Network Natzi, The BOFH, whatever you want to call it.
Re:New hardware (Score:5, Insightful)
Re:Go to Administration (Score:2, Insightful)
* More pipe to download means more $$
* More viruses means more of your time devoted to clean up and removal and more downtime resulting in higher costs etc.
You get the idea.
Figure out what the cost of *your* time will be in dealing with P2P.
Administrators know the IT staff are stretched thin, and a carefully worded statement saying something else is going to have to give or we are going to need to spend $$$$ goes a long way.
Stupid Responses (Score:3, Insightful)
Part of that, as you have capably done, is identifying areas that need improvement or fixing (such as the P2P problem you mentioned). Your position doesn't entitle you to be judge jury and executioner though!
If illegal downloads are a problem, then you need to talk to the head of the school. You need to explain the legal and financial risk of allowing these downloads to continue. You need to highlight the the financial and bandwidth cost that the downloads are incurring etc etc. If the head of the school says, 'Yes, we agree. Do something to fix it' Well you just got your policy and you have carte blanche to fix it - ie block ports or whatever.
If the head of the school says, 'No, I don't want you to do anything'. Then don't. It's not your problem anymore. The head of the school has just accepted responsibility for any related issues that will occur from this continued use of P2P.
You shouldn't be doing underhand sneaky tech tricks to get the results you want on a problem that is more political in nature than technical. Doing so will mean you get out of your depth and fired.
Re:Yeah I have a suggestion (Score:1, Insightful)
Not always a valid assumption. In fact, if they are grabbing warez, almost certainly a bad assumption.
Plus, in this kind of situation, all it takes is a couple to hog all the bandwidth. Problem still exists.
I agree with the people who are saying limit the p2p bandwidth. You absolutely can't trust people to voluntarily limit themselves in this. They won't like it, and they won't seen any benefits to themselves enticing them to altering their behavior. Courtesy cuts no ice, not in the modern world. You have to enforce the limits.
Re:If they're K-12 teachers... (Score:2, Insightful)
- Install Linux on all the workstations, make them work a little harder to install their P2Ps and they might learn something along the way. The ones that can't figure it out will not bother and just focus on their work.
- That will save the school lots of money and make the kids and teachers smarter.
- Use the money saved to buy more bandwidth.
Am I kidding, well, yeah, a little. But, quite seriously, kids (and us big kids) are curious and at times a bit mischievous. I know when I was a kid (a long, long time ago) a roadblock like this would just get me going and I would figure out how to make it happen, a learn a lot along the way. They aren't learning shit by downloading some Windoze setup.exe and loading up Kazaa or whatever. They are learning quite a bit by figuring out how to do it in Linux.
Some of you are utterly amazing (Score:2, Insightful)
And then you complain that the same people you've lied to are such utter incompetents about technology. How can you expect them to ever learn if you tell stupid lies to them?
Furthermore, some of these crackpots are the same people who will whine and complain if something about their own workplace were changed and they weren't given satisfactory answers. Hypocrites, the lot of them.
Just do what you have to do and be honest in why you're doing it. Sure you can gloss over some of the specifics, but explain to any reasonable person that you're having bandwidth issues and that person will begrudgingly accept your explanation. If you run into problems, you have to advocate your position with your supervisors better until they do understand the costs and headaches that the current system has.
My $.02
Re:If they're K-12 teachers... (Score:5, Insightful)
Then it's off to at least another year to get the credential (though since we live in California it's currently not required, but for the sake of the argument, go with me...) That program involves supervised and unsupervised time in a classroom, preparing and presenting lessons, and dealing with whatever age-level class you're in while trying to teach children who, for the most part, just want to go out and play. I've known several people who went through the entire program only to wash out in the classroom. Imagine devoting years of your life to an unpopular, low-paid career only to find out you can't cut it. People become teachers because they want to. People become IT drones because of the pay.
How good are you at keeping the attention of a room full of 1st or 2nd grade kids? If you're like most readers here you're probably working in an office somewhere and dealing with people who, for the most part, know how to do their jobs at least minimally. You can communicate with them on the same level. And you spend most of your time in an 8-foot-square cubical interacting with a machine that will do whatever you tell it to do (unless you're running WinME). Not exactly a rough existence, eh? Now imagine yourself in a room with 30 PCs, each with a different OS/CPU/GUI, and someone has broken into each machine and is installing and removing programs and drivers at random while you're trying to share a printer to each machine. You can't just yank the network and power cords. Wanna come to work today?
I will admit that "liberal studies" is kind of a fall-back major, but becoming and being a teacher in this country is not easy. I come to work every day and have no fear that a co-worker will pull out a gun and shoot me. I get paid well for the work that I do, and I don't consider it to be difficult work. But in the end, the work I do is inconsequential compared to what teachers do. Sure, there are some teachers who just don't care anymore, but wouldn't you get burned out if you can droves of people shooting down your profession after you've given years of yourself to it?
When I introduce you to my wife, go ahead and speak very slowly and in short little words. I'll be smiling as she plows your little brain into the ground.
SciFi channel for Dummies (Score:3, Insightful)
A good idea is something like dummynet between your internal network and your router. You can throttle bandwidth or add queues (simulates lag) to specific services over your network according to IP addresses or service ports. You can force an even bandwidth distribution between all the hosts connecting through port 80 but throttle back the speed of anything coming through other ports. You don'y necessarily have to block file sharing requests but you can keep them from dominating your network. Once you remove the incentive for people to use P2P services on the school's network they will knock it off.
Go voyeuristic! (Score:3, Insightful)
Then punch the living shiznit out of the fuckin' unrespectful perv.
Re:Delete Windows, put up an FTP server (Score:2, Insightful)
I worked in an education institution a few years ago, and this sort of thing was commonplace. Initially, there were no rules or procedures in place that applied to staff. Students were covered, but staff continued to be a problem. Until formal rules and policies were put in place, there was no real option other than to break the software and plead ignorance.
It was not uncommon for us to hunt down executables that were doing "bad things", and corrupt them. People rarely complained, knowing that they were breaking the law in the first place.
Lie to no one (Score:3, Insightful)
You really ought to set up a good firewall and Squid proxy server, though. That's just common sense; you don't want people hacking in to the school, and when a whole class hits a web site, you want 1 person to load the cache and 29 people to read the cache (not 30 people pulling down the web page from the site). That will give you a good position if and when you do get the authority to set a policy: instead of saying "Don't do X", you make it very difficult to do X. It's better to make it hard to do the wrong thing, than to try to punish those who do the wrong thing.
You could suggest a really strong firewall, with only specific ports opened, and require a request in writing to open any other ports. Like someone else suggested, you could write up a proposal for what you want, and see if you can get someone above you to say "go ahead and do that".
If your superiors require you to let the teachers continue to run riot, just get a good paper trail going: get your orders from above in writing, document in writing all the time you have to spend running around putting out fires. When it's time for your performance review, pull out the paperwork and say that you have been doing the job they ordered you to do; you don't want them to give you a poor performance rating because you didn't get much else done while you were running around putting out fires.
steveha
Re:Filtering/Throttling (Score:3, Insightful)
The nice thing about this system is that it does not prevent anyone from going to these sites or doing these things. If you find that you need to go to a porn site to help you learn about pornography laws (as I had to do just today - some porn sites have a better defense of pronography, and therefore definitions of common terms such as "indecent" as well as arguments concerning the First Amendment, than most other sites), and you go there frequently enough to make the list, then you can simply tell people what reason you were going to the sites.
If you do not want to explain yourself, then do not.
Get the teacher's union to write it up in the contracts that teachers cannot be fired based on what the reports show.
While you might talk about how you think that you should be able to do personal web browsing on your work computer, let me give you another reason: Someone pays for that bandwidth. If you are working for a school, more than likely it is the state government that is paying for it.
I, for one, do not like the idea that my already under-funded schools are having some of their budgets taken away by a teacher who is browsing the Internet for their own pesonal use. Take a coffee break and drink the coffee that my tax dollars are paying for. But when you start doing a lot of P2P stuff that I have to pay for, that is where I, as a taxpayer, draw the line. This is especially true when you might be downloading copywritten material illegally.
I do not mind a lttle web browsing every now and then. The line is massive bandwidth usage.
One other thing - my friend continues to do personal web browsing while at work. He simply limits it to the amount that he knows will cause him not to make the list. This is a great solution for the employer (who knows that its employees are not using too much time to do personal things) and the employees (who do not have the right to surf taken away completely).
The system is not so much about taking away your ability to surf (blocking ports and domains would do that) so much as limiting the amount that you are able to