Packet Filter On University Network

sachsmachine explains: "I'm a student at a major university where the network admins are thinking of moving to a packet filtering system, one that would block non-university computers from connecting to machines on the student subnets. There will be a meeting to discuss the proposal on Tuesday, but to be fully prepared going in, I'd like to be sure what impacts the move would have. Some of the things that might be broken (depending on what ports get left open) are pretty clear -- remote logins of various sorts, file sharing, Web sharing, instant messaging, Napster and everything else P2P -- but are there any important/unusual/cool/academically useful applications whose ports we should lobby to protect?" By the nature of university (and corporate) rule making, once a policy is in place, it's much harder to dislodge or amend than it might be beforehand. Steve has listed a fair number of applications which could be tossed out by this; how would you suggest saving university bandwidth without losing them all? How would you convince a skeptical audience that remote access is not all of a piece?

Remember FTP!

[jmaslak]

Outgoing FTP (connecting to an off-site server) causes the FTP server to initiate a connection back to you.

While it is true that many firewalls have logic to allow this, simple packet filters do not and can not - you have to allow anything with a SOURCE port of 20 to connect to ANY high numbered port. But, this argument against packet filters only works if they really are using a packet filter - and not some sort of smart firewall.

As far as a university denying connections, make sure that there is some way to gain exceptions to this policy, just in case there are accademic reasons for doing something down the road. For instance, they could require a proposal signed off by a department head, which indicates the academic value of opening the port and what precautions you are taking against abuse.

Sadly, though, my guess is that there aren't too many accademic reasons for putting a server in your dorm room instead of using a university managed server - other than to try to put up a server which doesn't fall under the normal AUP. Sure, it's a fun project and teaches a lot about administration - but it provides little academic gain that setting up a university-wide-only server would not.

Find out what their reasons for doing this are. Are they trying to reduce a security threat? Or is it really bandwidth? Make sure your argument addresses their - legitimate - concerns.

Re:Remember FTP!

[raju1kabir]

Sadly, though, my guess is that there aren't too many accademic reasons for putting a server in your dorm room instead of using a university managed server - other than to try to put up a server which doesn't fall under the normal AUP. Sure, it's a fun project and teaches a lot about administration - but it provides little academic gain that setting up a university-wide-only server would not.

I couldn't disagree more. Almost all of the current crop of gifted internet technicians (at least those that I'm aware of) learned their stuff by running servers in their college dorm rooms. Throwing static HTML up on a central web server isn't even the same ball game.

I would furthermore suggest that any university that imposes restrictions such as those mooted in this article is not serious about providing residence hall internet access as an academic resource, and is instead doing it for one of three reasons:

• They think it's "the thing to do"; all the schools are doing it
• It's cheaper than providing sufficient public terminals for web browsing in the library (don't get me started on web "research")
• They see it as a competitive factor in drawing students (like a fancy lobby and nice donuts in the campus information building)

Sure there's abuse. So throw on some rate limiters. What's far more important is the amazing collaborative learning that takes place in this environment; students with no technological ability learning from others how to become content providers and participants in the internet information space just like huge corporations (CNN, Amazon, etc). It's empowering, it's educational, it's a crucial step toward preparing students for the real digital world past the campus gates.

As an undergrad, I attended a university with a strong technological focus and a solid commitment to exposing students to IT (U of Michigan). When I look at my classmates, and compare them to less fortunate students at other schools, the difference is shocking. My fellow alum are totally comfortable with email, with the web, with their computers, with the changes in the world around them. Ten years later I went to grad school at a university with basically no on-campus technology (Yale; though they have finally wired most of the dorms at least). Ten years later, with all this technology supposedly so much more pervasive, and the students at Yale don't have anywhere near the comfort with it. They're intimidated by computers, and just as important, they're BAD at using them.

Arguing for services

[Lish]

Well, first I would like to applaud the university for doing something, anything to help protect their students and departments. They might not be going about it exactly the right way, but they're trying.

To make an assessment of how you should approach them, you need to know what their motivation is for doing the packet filtering. Is it for security? Is it to limit bandwidth consumption for nonacademic purposes? Is it to stop piracy? Knowing their reasons will help you make your arguments for allowing those services you want.

Now, if it's being done for security reasons, you'll have to argue that the services you want to keep open don't provide a security threat. Maybe get some statistics on number of attacks that utilize the different ports you're after.

If piracy (software, music, whatever) is their reason, you'd want to demonstrate the academic uses for what they're trying to block. In this case you're probably SOL on Napster, but you might get FTP to fly. The only "academic" use I can think of for Napster is a Music Performance major who makes his personal works/performances available through Napster. Show the legit uses for the medium.

Bandwidth consumption is a sticky issue. You'll again have to show an academic need for the service, but also that it does not consume an unacceptable amount of bandwidth. Maybe get some logging statistics for the network, find out what protocols are hogging the network; are the problems being caused by only a few people? There are better ways to control bandwidth use than wholesale blocking incoming packets.

As for "what ports to keep open," the easiest thing to do is survey the students on what network programs they use. It's easier to argue that X should be open because lots of students use it than some obscure program with limited value to the community from keeping it open.

It's really not so important what ports are open now as that there is a means of petitioning for ports to be opened in the future. That will allow you to make changes as new programs are developed using new ports.

Good luck, I hope they consider your case well.

If All Else Fails, Be Creative

[BigDogKelly]

Being a fellow college student who spends most of his time doing computer stuff (yes I am guilty of being a CS major), I share your fears. I didnt like it when they blocked Napster- unfortunatly they had a good reason-bandwidth. We tried going to the Admins but were denied. Luckily, being the good CS geeks that we are, we found ways around it.

When you go before the Admin group at school, have your battle plan laid out. Know your strong points and be able to defend your weak points. Be sure to bring friends who share your concerns. If your Teachers agree with you, bring them along too. The bigger your group and more importantly, the better your arguments are, the better off you look to those in charge. If they see that you are not alone they will be more likely to deal fairly with you. Even if your solid, logical approach at this meeting fails, get creative. If the packet filter gets installed, experiment with different ways of getting around it. Now, I am in NO way promoting the idea of doing any type of damage to it or even causing more work for the admins., but see if there are certain things the filter misses. When you find that out you may be able to use it to your advantage. Just remember, try the system first (it may actually work) but there are always other ways.

Make your case with legit reasons

[Patman]

The worst thing you can do in an academic setting
is imply that you are using the network connection for anything other than direct academic uses.
SSH/telnet ports should be easy to keep open. Explain that you're using them for remote access to email or whatever.
Many students put up personal webpages for their job search - resumes, downloadable snipepts of code, etc. Point out that that will be gone.
Pick your battles, though. You may not win on http, but shoot for ftp, or vice versa. Don't throw down over Napster or the like,
becase from an academic standpoint, there is not much use.

Good luck!