Solution For College's Bad Network Policy?

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

Linux

[Timmmm]

Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.

Use a VM

[Anonymous Coward]

If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.

I've faced this same issue

[reeeh2000]

What I found to be the best solution is to run Linux. My campus required Cisco clean access agent and service pack 2 to use windows on the network. I wasn't required to as Linux is allowed to connect without these. As for other concerns I would suggest setting up a encrypted proxy server at home then connecting through it. This will also allow for torrenting and PvP file sharing as this is often blocked on campus.

thumb drive linux

[elwinc]

Build one of those "linux on a thumb drive" things and do your private stuff on that. You might be able to get away with a dual boot system; their app on the windows partition and privacy on the linux partition.

My Solution

[Adam Zweimiller]

When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.

entrepreneur

[TheSHAD0W]

"There are no wireless broadband providers available in the area, I already checked."

Start one. Given what you've told us, there should be plenty of demand.

You're not as interesting as you think you are

[Anonymous Coward]

I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.

So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.

You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.

Computer science major

[tepples]

Odds are they'll simply tell him that linux is not supported under their network.

Disallowing operating systems other than Windows might make certain parts of CMU's computer science program [cmich.edu] more difficult for students.

Re:Your question is bad, and you should feel bad.

[characterZer0]

How do you know what the app does? Do they provide source code? Can you compile it yourself and run it? If not, you do not know.

His concern that this application may read local files, sniff network traffic, or log keystrokes is completely valid.

What is wrong with Internet Connection Sharing? Maybe he has two computers and wants one to act as a firewall for the other. Or maybe he is developing clustered applications and wants to use his own high-speed switch behind one computer acting as a router.

I would go to a different college.

Re:No.

[Macman408]

One of my college roommates was responsible for the dorm networks; they definitely had policies that pissed people off (usually the people who were abusing the network the most), but it was done so that the limited resources were usable by everybody. Among them:

P2P traffic was capped at 50% of total bandwidth.

There was a rolling monthly bandwidth cap. Exceed it, and you were capped at 56k modem speeds for about a week until you were under the cap again. (On-campus traffic was not counted, and not limited; many large downloads such as linux distros were mirrored on-campus.)

If you picked up a virus, you were isolated from the network. The only thing you could get to was windowsupdate.com, until you removed the virus and called the helpdesk to promise you had an antivirus installed.

Re:No.

[finalfrog]

My college doesn't require us to install anything to access the network. Of course that's mainly for two reasons: 1. If you're going to Harvey Mudd, you probably have mastered the basics and possibly several of the upper reaches of computer and internet security and those who haven't usually learn fast from their peers that do. 2. Honor Code. This is actually one of the basic tenets of Mudd, not just of computer usage, and it basically means "Use common sense and when that fails report yourself." It sounds crazy I know. You'd think it'd cause a breakdown of justice and total anarchy because no one would obey the rules which might very well happen on many larger campuses. But when you consider the kind of people that attend Mudd and its small size, it actually works darn well. Hell, it's worked for over 50 years and Mudd still turns out incredibly bright students either in spite of or because of the Honor Code depending on your view point. People actually do report themselves when they cause problems and there is a student run judiciary board for those who don't which runs quite efficiently. All in all, the policy causes less stress and anxiety for both the administration and the students than invasive strategies like the one described in the article.

common, not good

[Goldsmith]

This is a popular new trend in university network "security." It will be hard to find a school which is not at least considering this.

I have been at a university (UC Irvine) where a system like this (Cisco Clean Access) was put into effect by the housing department despite people in the computer science department and central computing services pointing out that the aging network infrastructure could not support it. When the network went down immediately after activation, they did not admit any mistake and blamed the outage on malicious users. Students who were found using or advertising workarounds (using a virtual machine, user agent spoofing) were disconnected from the network and threatened with criminal lawsuits. Good times were had by all.

My suggestions are:
-live off campus, no matter what school you're at (it took UCI 3 months to go from first suggesting such a system to ruining their network)
-when you need to use the internet, get a connection through a research lab, not a student lab or general network (if research labs have to have this system, leave the school, all the good faculty have already left)

Re:That's STILL insane.

[Anonymous Coward]

That's the polite reason they give for shitlisting Limewire.

The real reason tends to be that a number of the students manage to get themselves royally fucked with a wall of infections, not once, not twice, but over and over again until someone takes the computer from them, sets it up themselves, and put Limewire in a big ol' shitlist to keep them away from it again, usually.

This is one I'm not pulling out of my ass: When colleges take up classes, usually the first two weeks of that, I get calls from students who were doing things on Limewire, and have screwed up their systems. Two weeks before finals, I get another wave of Limewire-wielding students who have infected themselves. I recognize some of the students as ones I helped. Others, I see a track history of this on by looking at their cases.
Granted, this trend is slowing down as they start catching on, having lost papers needed for finals a few times, but it still is there.

On an aside, I'm fairly sure most of these schools have an AUP for connecting to their network that you agreed to when you signed up. If they put it there, and you didn't like it... then why would you be there?

Re:No.

[Anonymous Coward]

My sister goes to Central Michigan, and she got capped after using "too much" bandwidth talking to her boyfriend on Skype, so don't expect to use too much of the bandwidth even if you get around the program.

Re:That's insane.

[izomiac]

Lying about your OS might not work. My university used a similar system and it definitely used OS fingerprinting techniques. I basically was dual-booting Windows and the BeOS and used Linux in a VM. In exact, one week intervals I'd be forced to log in (all outbound traffic blocked, DNS resolved everything to their internal HTTPS server, all HTTP was redirected to a captive portal page, screwing up caching of SSL certificates and DNS in the process of course). The page used the User Agent string to determine whether to show a log-in form or to merely insist you download "Cisco Clean Access". But, changing one's User Agent still didn't allow logging in, that's where the OS fingerprinting came into play.

That was the only part that used fingerprinting though. I found that I could log in from the BeOS or from Linux in a VM, so that's what I always did. Assuming the programmers behind that system are competent, I'd think they've patched that hole by now. People using Cisco Clean Access never saw that page, so I doubt they always got downloads and online games disconnected on weekly intervals. Anyway, I was using a heavily nLited and tweaked version of XP, so I knew it was secured (yes, I double checked with antivirus scans and blackhat tools every now and then), but Cisco Clean Access didn't (it apparently couldn't determine the patch status of some windows component I'd removed). I could log in with another OS and simply reboot to use Windows though. CCA was kinda a pain for normal users as well. My roommate came in with a decently updated Vista machine and basic computer usage skills (he could download and install software easily enough). I timed him, it took him six hours to clear all of CCA's requirements.

Oh, amusingly enough I complained about the system before it was fully implemented, asking about how they expected game consoles to log in, or how dual-boot users like myself would be affected. The IT person I talked to had no idea about dual-booters, but stated that game consoles weren't allowed on the network because they can't run an antivirus. After I pointed out that it's almost unheard of for such devices to be infected (and a few reasons why), he replied that he'd seen it happen in his personal experience, and provided a link of "such a case" (it was to a security bulletin for law enforcement saying that modded Xboxes might contain hacking tools). I kinda chuckled when I saw the system-wide e-mail a week after implementation saying that policy had been reversed, and that IT would whitelist game console MAC addresses upon request.

Gotta love Slashdot

[Idiot with a gun]

Look, I'm a ResCon at ResNet, granted at a different university though. We're nice people, and we'll try to accomodate you as best as possible. Want to register Linux? Sure, you won't need to install a CSA. Same for Macs, phones, consoles, printers, routers, etc. The CSA is mostly just to reduce the number of windows machines getting viruses.

But, if you walk into my office bitching about our "draconian network policices," I'm going to get annoyed with you, but I'll kindly explain why they're in place (and how I'm not the one that made them). If you grab a PS3 and declare that "You can't install your Nazi CSA program on this!" I'm going to ask you to leave, and contact my boss. If you work with the IT people, and are nice to them, it's easy to maintain your decent level of freedom and privacy (except for piracy, sorry) while at your university. If you make every attempt to side step it, abuse the network, and generally come across as a jerk, it's a fast way to get your internet usage permanently rescinded.

Re:Solution For College's Bad Network Policy?

[bhtooefr]

Run their trojan in WINE, in an account that can't do anything?

Inadequate disclosure

[Animats]

The real problem with this is that the University is asking the student to download and run software without properly identifying what it does. That's called "badware" by StopBadware [stopbadware.org], run by the Harvard Law School, Consumers Union, etc. Phrases like "exceeds authorized access" apply. And remember, this is a state school; they face the legal constraints on state actors. For example, the rule that "Most political advocacy is unacceptable" [cmich.edu] is a blatant First Amendment violation as applied to students. Report that to EULA Watch and the ACLU. The ACLU is already dealing with some other suppression of free speech by the CMU administration [aclu.org], so this probably won't surprise them.

It's not even clear whose Client Security Agent [cmich.edu] they're talking about. There's one from Cisco, one from Bradford, and one from Microsoft. The description mentions that it turns on Microsoft's automated updating. That means all the latest Microsoft security holes (like the one that makes Firefox execute Microsoft .NET content) are opened up.

Someone compared this to working for a company. It's not. As a student, you're the customer, not an employee. Also, in a corporate setting, if Central IT messes up your desktop machine, Central IT has to fix your desktop machine.

Re:Linux

[BaldingByMicrosoft]

Newsflash: It's -their- network. Now, chew on this:

Say it was -your- responsibility to keep a network running which was used by a bunch of college students who don't know the first thing about maintaining and protecting their PCs. What, in your expert opinion, would be a "well guided" and "well managed" solution?

Re:Linux

[Fred Ferrigno]

When they keep out the commercial ISPs so they're the only network available and when their classes require network access, I'm a little less concerned about their rights to their network. If they're going to force you to eat their dog food, they at least have to make it palatable.

I don't know why universities bother providing network access if it's sooo hard to maintain. Comcast, AT&T, etc. handle the off-campus students just fine without any of that crap. It's not like their job is any easier or their customers are any smarter.

If I were running the network at a university, I'd leave the dorms to the commercial providers and let them compete for business. In the labs have the students use university PCs which are locked down as needed. For wireless, you offer a "clean" network that requires CCA or whatever and a guest network that is on the other side of the firewall and throttled.

Re:Solution For College's Bad Network Policy?

[Jah-Wren Ryel]

Let's just hope that this tool only monitors files on his computer and communicates them to the base. It could also monitor some other stuff, like names of hardware equipment, such as VMWARE CD-ROM DRIVE or whatever.

Pretty much any of that can be configured out of the VM in one way or another. Worst case he can use Xen which, being open source, can be completely modified to report anything.

Or it may insist on talking directly to its network. Or it may actually be responsible for authenticating the detected MAC address.

Not a problem. MAC addresses are full programable and the virtual nic maps directly to the physical nic - i.e. it hands packets directly to the physical nic, fully formed and vice versa. I'm doing something very similar at home right now - running pfsense in a vmware machine on a Windows XP host as my internet firewall. I disabled the all of XP's ip protocols on the wan nic so that the pfsense firewall runs the entire show on that physical nic.

Re:No.

[moosesocks]

Every honor code I've ever heard of has been used as a tool for a college to rid itself of students that it deems undesirable. In my experience, enforcement of these codes varies enormously. Recently, the University of Virginia came under fire for using its honor code to expel students for seemingly trivial offenses.

Honor codes are great in theory, although the ones I've seen put far too much power in the hands of far too few.

Re:Solution For College's Bad Network Policy?

[walshy007]

To be fair, I've been a linux user over a decade, and upon returning to uni one of the first programming courses I had was .net with microsoft everywhere. So I setup a development environment with monodevelop and mono.

Development has been rather painless so far at least for CLI programs, and the resulting binaries run with the .net framework aswell as mono, on linux, windows and mac.

The moment I no longer need to use c# I'll instantly go back to c++ and c coding. Even in instances where your uni 'makes' you use microsoft stuff, linux is so flexible nowadays that there is almost always some way to do it in linux without them being any the wiser.

Other solutions?

[mu51c10rd]

Considering the many posts saying the CSA is a bad idea, it raises a question. The fact that students get their Windows machines infected with every virus, trojan, and rootkit imaginable, how else shouls IT departments handle it? In the corporate world, it seems easier. However, a network of user-controller machines sounds like an administrative nightmare. For those who think the CSA is a bad idea, what are your alternatives?

Re:Solution For College's Bad Network Policy?

[MacColossus]

I work in the IT department of a college. We started implementing more network security after blaster and welchia on student machines brought down the entire campus network. We segregated the dorm to a different physical network from the academic network. We bought antivirus for every student so they would no longer have a reason not to have it. Turned off cross talk between ports on the student side so they wouldn't infect each other over the network. On the Academic side we do require Cisco Clean Access agent to use the campus wireless to access intranet resources. It checks to see if Antivirus is installed and relatively up to date. It also checks for OS security patches. If you don't want to install the Clean Access agent, you don't have to. We provide guest access for those that don't. They however have access to no intranet resources and are limited to 256k. We don't scan for files, we don't do key logging. The only way I see illegal filesharing is when they are on the same subnet as me and I happen to have Itunes open. Limewire, Frostwire and several other leet virus vectors that students run use multicast dns (bon jour) to broadcast "susie jo's limewire tunes" which shows up under shared in Itunes. Only when an idiot insists upon broadcasting and sticking this in my face do I open a multicast dns browser to get the IP. I then go into the Cisco Clean Access Manager to see who has that ip address (Cisco is tied into our directory services.) I then go to their Facebook profile which is always wide open and call the cell number they have posted there publicly and politely request they discontinue the activity pursuant to the campus network policy as published in the student handbook. In the very rare circumstance they actually were smart enough to not leave Facebook open to the world I send them a polite email.

Run your real system in a NATed VM

[Craig Ringer]

It'd be nice to just run the agent in a VM and isolate your real system that way, but it wouldn't work because they'll almost certainly be filtering by MAC address.

What you _CAN_ do is run the agent on the physical host with a minimal OS install, and then put everything else in a VM. Have the VM connect through the real host using NAT, so it has the same MAC address as the real host. The network won't know the difference.

Re:Solution For College's Bad Network Policy?

[sowth]

"Everyone needs a college education" is a scam created by the baby boomers. They use higher and higher education / experience requirements so they can lock out the next generations from the workforce. The previous generation, they used a "overqualified" scam as an excuse to not hire older people. They also used any excuse to fire / lay off the older people to scam them out of pensions. After the bailout scam, there may not be any higher paying jobs anyway.

Be practical. Don't bother going to college unless:

• you are already set up with a specific company when you graduate, and you are sure you want this career path. Preferably you will already have a deal to be a paid intern while you are taking classes. The company may even pay your way if you do it right.
• You are using your education to learn how to run your own business and you already have an idea what kind of business you will run and have a good idea how you will be funded.

Otherwise you are just going to end up with huge loans to pay off while you end up flipping burgers for the rest of your life. Have fun barely surviving, while if you didn't go on to higher education, you'd at least be able to take care of yourself and maybe save some money.

Have a real plan people. Figure out what you want to do before you go on to "higher" education. Be sure going to school will fit your goal and you will get a higher paying job, which is the real reason to go to school, not some abstract notion of being "educated" and "well rounded" or following in someone's footsteps. If you want to educate yourself, read books, try things out yourself. It is much cheaper.

Re:Solution For College's Bad Network Policy?

[bootup]

this is why you should venture out into the real world sometimes and do what is demanded to the extent you can't avoid it-and all the while not avoiding it bitch and moan until they fix it. i bitched for 3 years about my computer science program's requirement that students take a course in visual basic. that was only a core requirement for one of the two 'tracks' or sets of core courses depending on which track you were in. choice was software development or information technology. both cs degrees. anyway. point is after pointing out how hypocritical it was to require a course in visual basic when professors were saying that the difference between a university and a tech school was that a tech school taught tools and a university teaches concepts. clearly vb is a tool not a concept. before i left they dropped vb as a core requirement of the IT track. i didn't win every battle but 1/10 still makes the world a better place.

Re:Solution For College's Bad Network Policy?

[cynyr]

Does cisco clean access work on bsd/linux/macosx/an arm device/my smart phone with wifi/etc? if not what is the policy about those devices? This is always been my problem with things like Cisco clean access. If i have a perfectly good AV system that clean access doesn't know about, then i get reported as not having up to data AV software and i have to jump though hoops to get i t added, or told to take it off, and install the copy that the school used my money to buy for me. GL with all the ARM netbooks that are susposted to be comming out in the ~$200 range. I bet Clean Access doesn't run on ARM Ubuntu. I remember when my Uni (Northern Michigan University) had all sorts of problems when the iPhone came out, took down parts of our wireless network. Also i remeber that policy that the helpdesk would help get any device connected to the network. This was made fun by the Wii, it needs to get to nintendo.com as part of the setup, and regerstering a game machnine required that it be connected to the network. IDK how many times i swaped mac ADDRs to the Wii's and then had people register the Wii as a computer.