Slashdot Mirror
P2P Programs on K-12 Networks?
deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"
Set up a web proxy. Firewall off everything else. Only allow port 80 traffic from workstations. It will kill off all the bandwidth eating crap, but still allow use of the internet for school.
Michael Loves Me!
I am not a big user of the P2P programs, but my first guess would be to figure out which ports are being used by common P2P programs, and then throttle them down to 0.5kbps. The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly. :^)
As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.
--Robert
Simple,
You just put in a new firewall that doesn't support such things. Technical limitation, wink wink.
In other words, lock them behind an http only proxy, or whatever other proxies they really need. You aren't a general use ISP.
If they complain, tell them it's impossible to change, due to some complex technical matter. Just mention TCP header length and TTL and their eyes will glaze over as they nod slowly.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Hold a meeting with your staff, and explain to them the dangers, liabilities and your other various points. Explain it so THEY will understand what you are talking about, without talking DOWN to them. If they are responsible adults, they will understand and should comply somewhat if not entirely.
I always believe that it is easiest to reason with people before going behind their backs with rules, policies, etc. Once you have an understanding established, then apply some rules and policies, with the backing of the staff.
Beyond that if they won't work with you, then block the common file sharing ports or throttle the bandwidth to their workstations! That will always work!
I find that most often I end up learning from necessity, rather than for enjoyment.
Find out if your town or county has any kind of acceptable use policy. They probably do. Or, if your school receives state funding, perhaps there is an acceptable use policy at the state level. In short, follow the money and then check for policies.
I'm sure you'll find that what these teachers are doing is not acceptable. Put up a firewall, do what you need to do so that P2P software doesn't work, and when they come and complain point to the policy that defines acceptable use.
Whatever you do, enforce across the board! Don't just block the few teachers that are the problem, block the whole network. That's the best way to stay out of trouble.
My Karma was at 49, then they switched to words. All that work for nothing!
Well, if you can't pen policy, you can create paranoia in order to create harmony. In you case, big brother is watching. You might not be able tell people to stop, but you can pen a friendly letter explaining the legalities, liabilities, oh, and that you have the technology to log and track all internet traffic going on the network.
A little paranoia goes a long way. And as an added benfit those you don't have to stick up for anything because you're not changing policy at all. You are "executing the due diligence required by law".
Let's see... you have no policy, you can't get one, you can't just cut people off....
You could make the P2P stuff run so slow as to be useless... or you could send your own trojans that will erase the drives of the problem users...or you could send them porn, and get them fired...(oh, and don't get caught doing any of the above.)
Or, perhaps you're just screwed because you're trying to enforce rules where you have no authority to do so. I'm not neccessarily saying you shouldn't have the authority... just that you clearly don't, and any attempt to enforce your idea of policy is bound to cause you trouble. You time is probably best spent figuring out how to get a policy.
You're in a school, this is would be one of the BEST environment to educate the people about all of these issues. You'll say that some people won't give a rat, but that's like in society in general, if people don't give a rat and anarchy reigns, stronger measure needs to be taken.
:) ) , and it put the user in a situation where he would have to go look his manager to ask to waste time leeching (which he will obviously won't do :) ) and I get no heat. Dunno up to what it could extend since where I work most people are reasonable and mature, and school isn't the same environment, but then again, it's a suggestion and I'm sure a lot of people here will have many more.
I might have gotten something wrong but if you're managing the network, usually it falls within your responsibilities to make sure to implement EVERYTHING (including some policy, or at least submitting them) for the proper operation of the network, which includes both load balancing, security and legality (to a certain extent, at least proving that you thought about it and implemented it to a certain level won't hurt).
Now if we tell you to cut down trees for a paper company and we hand you a kitchen knife, you'll say "you're crazy", well same goes with being an admin, if you're ADMIN and you can't do zit, it's a big issue. If it was a mess before you arrived, probably that the organization was a mess in the first place, I'd document everything, put up a structure of the network and who's responsible for what, limit the number of people that have "power" over the administration because as we all know, the more admins on a box, the more potential problems. So you have to do your part, be professionnal, use people's experience and be opened to suggestion, but at the same time, document every problem, and don't always go to your supervisor saying all of the problems, he's probably already familiar with them, for every problem, bring in a solution or two with arguments and documented facts (and normally supervisors like having a choice and feel like they did the work so... use that to your advantage).
As for the P2P application, I've fixed the problem at work, I've putted QoS and 1-2K/s on the total bandwidth, it's transparent "it's still working so I didn't do anything" and when those dead weights would come and see me "well probably its not optimized for our network structure and I have enough work to do, if this is a priority, go see your manager or big boss". It's politically correct since you didn't block the port and the user has no idea on what's really going on (unless reading slashdot
Good luck.
--- Metamoderating abusive downgraders since my 300th post.
First thing to do is ask them if they were happy with the level of support they had before. Since you are claiming that some goofballs messed things up, it's best to start with the goofballs and try to define what they did and didn't do right. I wouldn't expect most K-12 institutions to have a good network security policy in place.
In order to get one defined, you need to start talking to administrators. Find out which services they desire to provide and which they don't. Point out that most security and network use policies these days start by defining what you are allowed to do and blocking the rest of the traffic. Put out an request to the staff that they give you a list of applications that they use for purposes of education and then get a group together to review that list. If something strikes you as questionable, ask the person to justify it.
You'll also, more than likely, want to get a list put together of officially supported software and a procedure for getting a piece of software onto the officially supported list. This keeps people from coming to you and saying "I can't download files with Morpheus" because you can just say "Is it on this list? No? Then not my problem." Part of the process of getting something on that list might be a written justification of why it should be there, and for comercial software proof of license.
You don't want to be the only one makeing decisions. You should get a committee together. You'll want an administrator and a staff member on the committee. Decisions about what will and will not be supported will be made by the committee. You need these people because they understand the classroom, that's not your job.
If it comes to it, you might want to take a look at your job description. Figure out what parts of your job you can do, and which parts will need a more defined policy to enable you to do your job properly. This is important -- if your job description says "support educational activities requireing network access and use of the internet," whacking traffic that doesn't fall into those categories is clearly a part of your job as it increases bandwidth availability for educational purposes. When somebody complains, you need something you can point to for the purpose of defending your actions.
Start at the top, schedule some meetings with administrators and express your concerns to them. Most school administrators are reasonable people and when you explain that these things are necessary for a smooth running system they'll understand. Also, most school administrators are scared sh*tless of the words "potential lawsuit", don't be afraid to use it.
This is exactly the kind of mentality that continues to harm the IT Industry workers more than it helps. Depending on the lack of education of our user bases to provide a cover for our collective bad attitudes, grudges, and lies is no answer.
Explaining these things reasonably to users without making them feel like your hating on them is perhaps a better solution. Tell them it's illegal, sometimes they just don't know. If they don't care, as has been pointed out prior to my posting they have no basis to argue with you if/when you block the ports. But tell them it's happening before you do it, or right after you do.
If somebody above you tells you to open the ports or allow the illegal activities to continue, explain to them what kind of ethical, not to mention legal issues they are bringing onto you.
I have at previous jobs had my employers sign written up and sometimes notarized documents saying that it was their decision and their action allowing the illegal activities to continue. (After I said no they got somebody else to do it against my recommendation.)
And one question: Do you like or need this job so badly that you can't explain to them your points of view without fear of losing it?
--- "Remember, there's a difference between bowing down and bending over." -Frank Zappa
Yeah, right. You must not do much work in schools. A policy is nothing unless you have a way to enforce it and penalties when it isn't followed. Teachers for some reason just can't resist downloading Gator and Bonzai Buddy for some reason.
To the guy in the story,
The first thing you need to do is to write a letter to whoever is directly above you and request that it be forwarded on to administration. Outline your concerns, explain any legal liabilities the school may have, cite lost man hours (translated into $$$) and instructional time caused by what's going on, and be sure to give a way (or ways) the problems can be addressed. If you don't include a potential resolution, then all you will have accomplished is that everyone knows about the problem. If the right people don't get it after you've followed the chain of command, submit it to the school board.
The technical side of this is the easy bit. Get the political support you need from the top and then start to implement. But be sure to do your homework before you start screaming. It'll pay off in the end.
I have worked as a consultant to quite a few K12 IT Directors who were in the same situation that you are in. This path usually works. However, some school districts want their teachers to be able to do whatever they want. If that's the District's opinion, and you can't just pack up and go elsewhere, make sure to do a good job of CYA.
Good luck!
.
load "linux",8,1
Frankly, anyone who says that you should be scretly throttling the P2P ports is giving you bad advice. You are paid to give a service to the school - which is to provide IT services.
Part of that, as you have capably done, is identifying areas that need improvement or fixing (such as the P2P problem you mentioned). Your position doesn't entitle you to be judge jury and executioner though!
If illegal downloads are a problem, then you need to talk to the head of the school. You need to explain the legal and financial risk of allowing these downloads to continue. You need to highlight the the financial and bandwidth cost that the downloads are incurring etc etc. If the head of the school says, 'Yes, we agree. Do something to fix it' Well you just got your policy and you have carte blanche to fix it - ie block ports or whatever.
If the head of the school says, 'No, I don't want you to do anything'. Then don't. It's not your problem anymore. The head of the school has just accepted responsibility for any related issues that will occur from this continued use of P2P.
You shouldn't be doing underhand sneaky tech tricks to get the results you want on a problem that is more political in nature than technical. Doing so will mean you get out of your depth and fired.
Well I can speak from experience that becoming a teacher is no easy task. My wife was an "education major" as you like to call it, and the list of classes she had to take was quite impressive. She was taking classes on foreign cultures, philosophy, mid-to-high level math, literature, environmental studies, child development, etc... My classload of 6 CS courses was weak compared to her schedule. And that's just to get the BA degree.
Then it's off to at least another year to get the credential (though since we live in California it's currently not required, but for the sake of the argument, go with me...) That program involves supervised and unsupervised time in a classroom, preparing and presenting lessons, and dealing with whatever age-level class you're in while trying to teach children who, for the most part, just want to go out and play. I've known several people who went through the entire program only to wash out in the classroom. Imagine devoting years of your life to an unpopular, low-paid career only to find out you can't cut it. People become teachers because they want to. People become IT drones because of the pay.
How good are you at keeping the attention of a room full of 1st or 2nd grade kids? If you're like most readers here you're probably working in an office somewhere and dealing with people who, for the most part, know how to do their jobs at least minimally. You can communicate with them on the same level. And you spend most of your time in an 8-foot-square cubical interacting with a machine that will do whatever you tell it to do (unless you're running WinME). Not exactly a rough existence, eh? Now imagine yourself in a room with 30 PCs, each with a different OS/CPU/GUI, and someone has broken into each machine and is installing and removing programs and drivers at random while you're trying to share a printer to each machine. You can't just yank the network and power cords. Wanna come to work today?
I will admit that "liberal studies" is kind of a fall-back major, but becoming and being a teacher in this country is not easy. I come to work every day and have no fear that a co-worker will pull out a gun and shoot me. I get paid well for the work that I do, and I don't consider it to be difficult work. But in the end, the work I do is inconsequential compared to what teachers do. Sure, there are some teachers who just don't care anymore, but wouldn't you get burned out if you can droves of people shooting down your profession after you've given years of yourself to it?
When I introduce you to my wife, go ahead and speak very slowly and in short little words. I'll be smiling as she plows your little brain into the ground.
Your best bet is probably to just act without concent from those above you. Most of the time asking clueless authority figures to take a stance on specific policy is a bad idea. If you tell someone "P2P filesharing is bad" they will extend it to absurd levels of stupidity. You are the administrator, do your job as such.
A good idea is something like dummynet between your internal network and your router. You can throttle bandwidth or add queues (simulates lag) to specific services over your network according to IP addresses or service ports. You can force an even bandwidth distribution between all the hosts connecting through port 80 but throttle back the speed of anything coming through other ports. You don'y necessarily have to block file sharing requests but you can keep them from dominating your network. Once you remove the incentive for people to use P2P services on the school's network they will knock it off.
I'm a loner Dottie, a Rebel.
Just install webcams pointing at every single monitor in the building, all displaying on your own console in a dark room behind a one-way mirror. When you spot any pr0n or other undesirable usage, just put on some cool shades and walk up to the luser's box, right in his face. Put on some gloves and snip the PC's power cord with cable cutters while saying "Access Denied" through a portable voice morpher.
Then punch the living shiznit out of the fuckin' unrespectful perv.
-Billco, Fnarg.com
I suggest you ignore all the advice to do something behind everyone's back and then lie about it. If you get caught once in a lie, everyone views you as a liar. This is tactially unsuccessful, quite aside from moral issues.
You really ought to set up a good firewall and Squid proxy server, though. That's just common sense; you don't want people hacking in to the school, and when a whole class hits a web site, you want 1 person to load the cache and 29 people to read the cache (not 30 people pulling down the web page from the site). That will give you a good position if and when you do get the authority to set a policy: instead of saying "Don't do X", you make it very difficult to do X. It's better to make it hard to do the wrong thing, than to try to punish those who do the wrong thing.
You could suggest a really strong firewall, with only specific ports opened, and require a request in writing to open any other ports. Like someone else suggested, you could write up a proposal for what you want, and see if you can get someone above you to say "go ahead and do that".
If your superiors require you to let the teachers continue to run riot, just get a good paper trail going: get your orders from above in writing, document in writing all the time you have to spend running around putting out fires. When it's time for your performance review, pull out the paperwork and say that you have been doing the job they ordered you to do; you don't want them to give you a poor performance rating because you didn't get much else done while you were running around putting out fires.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely