Slashdot Mirror
Packet Filter On University Network
sachsmachine explains: "I'm a student at a major university where the network admins are thinking of moving to a packet filtering system, one that would block non-university computers from connecting to machines on the student subnets. There will be a meeting to discuss the proposal on Tuesday, but to be fully prepared going in, I'd like to be sure what impacts the move would have. Some of the things that might be broken (depending on what ports get left open) are pretty clear -- remote logins of various sorts, file sharing, Web sharing, instant messaging, Napster and everything else P2P -- but are there any important/unusual/cool/academically useful applications whose ports we should lobby to protect?" By the nature of university (and corporate) rule making, once a policy is in place, it's much harder to dislodge or amend than it might be beforehand. Steve has listed a fair number of applications which could be tossed out by this; how would you suggest saving university bandwidth without losing them all? How would you convince a skeptical audience that remote access is not all of a piece?
If it is a public university, point out the stance Michigan and Wisconsin(Madison) have taken:
Both have said that as public universities, they will not filter content, and if they need more bandwidth, then they will get it. (I assume, to a point)
At my private university, the student government has a major role in the network (or can if it wants to) -- so if the suit behind the admins is making poor choices that aren't what the student body wants, chances aren't that slim that said suit will be looking for work. Our school actually passed a resolution to the effect that nothing can be done to the network which inhibits students ability to use the internet just as if they were using an ISP. (since the university is our ISP) -- since then, many of the filters and packet shapers have disappeared almost completely.
-Davidu
# Hack the planet, it's important.
Certainly there are useful reasons. For example, I've got PHP and MySQL on my personal machine, whereas the standard university servers that I have access to do not. I was thus able to develop and demo a web application for a volunteer cause, show it to them, and make changes before obtaining the permanent box (outside of the university) that it'll run on.
// mlc, user 16290
--
I don't know what the case is for American Universities, but nowadays in Britain, the Unis are coming under tighter and tighter financial restraints. Many universities probably don't mind too much about people using the available bandwidth in moderation, but these kind of abuses of the priviledge (and it is a priviledge to use to the Uni network for non-academic purposes), make it impossible to justify why free access should be given when there is no (financial) need for it -especially when cash-constricted departments are having to bear the cost of non academic browsing, without having money available to pay for it - which was less of a problem in the older days, when money was flowing more freely within the universities, and general network usage was lower.....
Try to understand the awkward position that many of these universities are in in this respect. Often, it not necessarily the desire to curtail the usage of the network out of badness that is the problem, but external influences such as cost and protecting themselves from prosecution, which the Universities don't have to resources to meet.
I would deem those as essential services. A reasonable case can be built that students need NetMeeting to communicate with family members as an alternative to long distance telephone. This is especially important to foreign students who simply cannot afford the dollar/min or more to reach South America, Eastern Europe or Asia.
Real life example: My brother's GF is Peruvian and regularly uses ICQ and NetMeeting to keep in touch with Lima from Canada. We spend 90 min on the webcam last New Year's eve; something impossible with a telephone. I dare not think how much that would've cost in LD charges.
---
The university's actions will certainly impose a modest burden on the student's political speech, but it doesn't seem to be an unreasonable one.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Depending on how they set things up, it probably won't affect most things that are deemed "what normal people should do". ICQ and AIM will work fine, except generally for file transfers. You might also have trouble with voice-IP apps. Other than that, there are answers to most of the arguments that can be made, mostly, "you should be using university managed machines for that."
What it will do is shut down most of the pirates, which is probably why their doing it, and napster.
Most universities pay discounted rates for their net connections, but some of the stipulations are that it only be used for educational purposes, and maybe a bandwidth limit. Lots of incoming traffic to the student net most likely means stuff is going on that shouldn't be.
Probably your only real argument will be simply that in a university environment, you shouldn't restrict stuff because of free expression, blah blah blah... oh, and "once you do this, where does it end?"
Four or five years ago the current employer decided to sell firewalls. They put one in place at work to test it out, and caused all FTP access from a browser to be broken for at least 3 months, made worse by our major supplier using FTP urls in their call logging system. (To download a file we had to browse the web source and manually grab the file by a command-line FTP client which worked vua the other method).
The team responsible for selling these firewalls never managed to fix it. In the end one of my collegues got hold of the firewall password and fixed in in a few seconds. I think this team only managed to sell 3, and all of the cancelled the support contract within 6 months.
I am almost certain that the school's reason for doing this is bandwidth related. In order to let students do what they want and keep the network running smooth, use prioritization. University run systems are true-firewalled, while student machines are DMZed and are lower priority than University machines. See QoS/fair (unfair!) queing.
The problem with capped Karma is it only goes down...
SIG: HUP
Everywhere I've seen (granted that comes to about 10 universities total) students are required to fill out a form acknowledging not to do anything particularly bad before they can plug in. This could be handled when they're picking their login ID (and if your school doesn't let people pick their own login IDs either, well, I guess we have nothing further to talk about. Hmph.).
In any case, it could be done online with - get this - electronic forms. Cost pretty much approaches zero. The list of who goes where can be fed by a web app into the DHCP server. Likewise they get automatically dumped onto the mailing list. A machine runs nessus against the machines in the no-filter pool, dumps the results to a $9/hr work study student, who sifts through and picks out the ones with lots of red, which are handed to a $12/hr student consultant. This is a dirt-cheap project.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
If they were trying to protect students, there would be a space on the dorm ethernet sign-up form that said:
Student machines would be tossed into one of two address pools depending on their answer.
All they're trying to protect are their own behinds and budgets, at the expense of the students' learning environment.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
Outgoing FTP (connecting to an off-site server) causes the FTP server to initiate a connection back to you.
While it is true that many firewalls have logic to allow this, simple packet filters do not and can not - you have to allow anything with a SOURCE port of 20 to connect to ANY high numbered port. But, this argument against packet filters only works if they really are using a packet filter - and not some sort of smart firewall.
As far as a university denying connections, make sure that there is some way to gain exceptions to this policy, just in case there are accademic reasons for doing something down the road. For instance, they could require a proposal signed off by a department head, which indicates the academic value of opening the port and what precautions you are taking against abuse.
Sadly, though, my guess is that there aren't too many accademic reasons for putting a server in your dorm room instead of using a university managed server - other than to try to put up a server which doesn't fall under the normal AUP. Sure, it's a fun project and teaches a lot about administration - but it provides little academic gain that setting up a university-wide-only server would not.
Find out what their reasons for doing this are. Are they trying to reduce a security threat? Or is it really bandwidth? Make sure your argument addresses their - legitimate - concerns.
To make an assessment of how you should approach them, you need to know what their motivation is for doing the packet filtering. Is it for security? Is it to limit bandwidth consumption for nonacademic purposes? Is it to stop piracy? Knowing their reasons will help you make your arguments for allowing those services you want.
Now, if it's being done for security reasons, you'll have to argue that the services you want to keep open don't provide a security threat. Maybe get some statistics on number of attacks that utilize the different ports you're after.
If piracy (software, music, whatever) is their reason, you'd want to demonstrate the academic uses for what they're trying to block. In this case you're probably SOL on Napster, but you might get FTP to fly. The only "academic" use I can think of for Napster is a Music Performance major who makes his personal works/performances available through Napster. Show the legit uses for the medium.
Bandwidth consumption is a sticky issue. You'll again have to show an academic need for the service, but also that it does not consume an unacceptable amount of bandwidth. Maybe get some logging statistics for the network, find out what protocols are hogging the network; are the problems being caused by only a few people? There are better ways to control bandwidth use than wholesale blocking incoming packets.
As for "what ports to keep open," the easiest thing to do is survey the students on what network programs they use. It's easier to argue that X should be open because lots of students use it than some obscure program with limited value to the community from keeping it open.
It's really not so important what ports are open now as that there is a means of petitioning for ports to be opened in the future. That will allow you to make changes as new programs are developed using new ports.
Good luck, I hope they consider your case well.
"This message is composed of 100% recycled electrons."
Being a fellow college student who spends most of his time doing computer stuff (yes I am guilty of being a CS major), I share your fears. I didnt like it when they blocked Napster- unfortunatly they had a good reason-bandwidth. We tried going to the Admins but were denied. Luckily, being the good CS geeks that we are, we found ways around it.
When you go before the Admin group at school, have your battle plan laid out. Know your strong points and be able to defend your weak points. Be sure to bring friends who share your concerns. If your Teachers agree with you, bring them along too. The bigger your group and more importantly, the better your arguments are, the better off you look to those in charge. If they see that you are not alone they will be more likely to deal fairly with you. Even if your solid, logical approach at this meeting fails, get creative. If the packet filter gets installed, experiment with different ways of getting around it. Now, I am in NO way promoting the idea of doing any type of damage to it or even causing more work for the admins., but see if there are certain things the filter misses. When you find that out you may be able to use it to your advantage. Just remember, try the system first (it may actually work) but there are always other ways.
-Life is a Journey, --Not a Guided Tour! ---Trust me, I've already looked for the guide book.
The worst thing you can do in an academic setting
is imply that you are using the network connection for anything other than direct academic uses.
SSH/telnet ports should be easy to keep open. Explain that you're using them for remote access to email or whatever.
Many students put up personal webpages for their job search - resumes, downloadable snipepts of code, etc. Point out that that will be gone.
Pick your battles, though. You may not win on http, but shoot for ftp, or vice versa. Don't throw down over Napster or the like,
becase from an academic standpoint, there is not much use.
Good luck!