Slashdot Mirror
P2P Programs on K-12 Networks?
deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"
I am not a big user of the P2P programs, but my first guess would be to figure out which ports are being used by common P2P programs, and then throttle them down to 0.5kbps. The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly. :^)
As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.
--Robert
Simple,
You just put in a new firewall that doesn't support such things. Technical limitation, wink wink.
In other words, lock them behind an http only proxy, or whatever other proxies they really need. You aren't a general use ISP.
If they complain, tell them it's impossible to change, due to some complex technical matter. Just mention TCP header length and TTL and their eyes will glaze over as they nod slowly.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
You've got problems with p2p users and virus idiots? Just block all the relevant p2p ports and blame it on a computer virus. Then sit back and watch the two groups destroy each other.
Hold a meeting with your staff, and explain to them the dangers, liabilities and your other various points. Explain it so THEY will understand what you are talking about, without talking DOWN to them. If they are responsible adults, they will understand and should comply somewhat if not entirely.
I always believe that it is easiest to reason with people before going behind their backs with rules, policies, etc. Once you have an understanding established, then apply some rules and policies, with the backing of the staff.
Beyond that if they won't work with you, then block the common file sharing ports or throttle the bandwidth to their workstations! That will always work!
I find that most often I end up learning from necessity, rather than for enjoyment.
Find out if your town or county has any kind of acceptable use policy. They probably do. Or, if your school receives state funding, perhaps there is an acceptable use policy at the state level. In short, follow the money and then check for policies.
I'm sure you'll find that what these teachers are doing is not acceptable. Put up a firewall, do what you need to do so that P2P software doesn't work, and when they come and complain point to the policy that defines acceptable use.
Whatever you do, enforce across the board! Don't just block the few teachers that are the problem, block the whole network. That's the best way to stay out of trouble.
My Karma was at 49, then they switched to words. All that work for nothing!
Use a FreeBSD gateway machine with DUMMYNET. FreeBSD can be configured so that it: a) doesn't have to replace the existing firewall; and b) is invisible so it doesn't show up on traceroutes. This is so that clueful users are not tipped off in a way that lets them complain like pornhounds on a free NNTP service. DUMMYNET will let you set up bandwidth policies based on (groups of) IPs, ports, and more. Client subnets can have full bandwidth on port 80, but the gateway can shut them down to 28.8 on the P2P ports. The possibilities are really open in a situation like this, and any junk computer can be used.
When I was a kid, we only had one Darth.
Yeah, right. You must not do much work in schools. A policy is nothing unless you have a way to enforce it and penalties when it isn't followed. Teachers for some reason just can't resist downloading Gator and Bonzai Buddy for some reason.
To the guy in the story,
The first thing you need to do is to write a letter to whoever is directly above you and request that it be forwarded on to administration. Outline your concerns, explain any legal liabilities the school may have, cite lost man hours (translated into $$$) and instructional time caused by what's going on, and be sure to give a way (or ways) the problems can be addressed. If you don't include a potential resolution, then all you will have accomplished is that everyone knows about the problem. If the right people don't get it after you've followed the chain of command, submit it to the school board.
The technical side of this is the easy bit. Get the political support you need from the top and then start to implement. But be sure to do your homework before you start screaming. It'll pay off in the end.
I have worked as a consultant to quite a few K12 IT Directors who were in the same situation that you are in. This path usually works. However, some school districts want their teachers to be able to do whatever they want. If that's the District's opinion, and you can't just pack up and go elsewhere, make sure to do a good job of CYA.
Good luck!
.
load "linux",8,1
As Manager of Technology for a K-12 school division, I can tell you how we do it. First of all, your system should have an Acceptable Use Policy (AUP). Students and parents should receive a copy of it each year during registration. Ours is included in the Parent/Student Handbook. All students who use the Internet must have a signed form from their parents granting privileges. Ours includes language that states that Internet access is for educational use only! Even though it isn't strictly enforced (we do allow entertainment sites for example), that language is there to back us up on content and P2P decisions.
Since students and teachers use the same network and computers, all are subject to the same policies and filters. We transparent proxy all requests to port 80 and 554 through iPrisms which filter and then pass the request on to a Squid proxy that generally runs at about a 40% hit ratio. All other Internet traffic passes through our Cisco firewall which performs NAT based on an access list. That access list denies NAT for all the popular instant messaging and P2P applications. Since all computer addresses are private, no NAT means no access. Instant messaging is blocked after an incident where a bomb threat came in that was untraceable according to AOL. P2P filtering is obvious due to copyright violations and bandwidth usage. It is interesting to watch the hits on our access lists from P2P apps that are denied. Kazaa seems to be the most popular, we block several million Kazaa packets each week.
That's how we do it, if you have any questions, let me know.
Jason
"FORMAT C:" - Kills bugs dead!
Well I can speak from experience that becoming a teacher is no easy task. My wife was an "education major" as you like to call it, and the list of classes she had to take was quite impressive. She was taking classes on foreign cultures, philosophy, mid-to-high level math, literature, environmental studies, child development, etc... My classload of 6 CS courses was weak compared to her schedule. And that's just to get the BA degree.
Then it's off to at least another year to get the credential (though since we live in California it's currently not required, but for the sake of the argument, go with me...) That program involves supervised and unsupervised time in a classroom, preparing and presenting lessons, and dealing with whatever age-level class you're in while trying to teach children who, for the most part, just want to go out and play. I've known several people who went through the entire program only to wash out in the classroom. Imagine devoting years of your life to an unpopular, low-paid career only to find out you can't cut it. People become teachers because they want to. People become IT drones because of the pay.
How good are you at keeping the attention of a room full of 1st or 2nd grade kids? If you're like most readers here you're probably working in an office somewhere and dealing with people who, for the most part, know how to do their jobs at least minimally. You can communicate with them on the same level. And you spend most of your time in an 8-foot-square cubical interacting with a machine that will do whatever you tell it to do (unless you're running WinME). Not exactly a rough existence, eh? Now imagine yourself in a room with 30 PCs, each with a different OS/CPU/GUI, and someone has broken into each machine and is installing and removing programs and drivers at random while you're trying to share a printer to each machine. You can't just yank the network and power cords. Wanna come to work today?
I will admit that "liberal studies" is kind of a fall-back major, but becoming and being a teacher in this country is not easy. I come to work every day and have no fear that a co-worker will pull out a gun and shoot me. I get paid well for the work that I do, and I don't consider it to be difficult work. But in the end, the work I do is inconsequential compared to what teachers do. Sure, there are some teachers who just don't care anymore, but wouldn't you get burned out if you can droves of people shooting down your profession after you've given years of yourself to it?
When I introduce you to my wife, go ahead and speak very slowly and in short little words. I'll be smiling as she plows your little brain into the ground.
Obviously, you've never worked in a school enviroment before. I'm guessing you're corporate, but a much smaller level (even Fortune 500's have more politics than your work). Small but growing regional business? Anyways, let me get back on topic.
I briefly worked on a smallscale rollout project for a major (top 50 in population) city school system. There were ongoing political issues at the the superintendent level, unrelated to our technical problems, but likely to affect everyone's job one way or another. But virus problems were becoming impossible to deal with, so they moved the date forward for another rollout project, and added a Norton AV procedure.
Let me tell you, even the smoothest Windows rollout project sucks, they are never interesting no matter what. You never learn much, but when times are tight like they have been...
Well, the firm I usually deal with, calls up with this job, and they tell me 5-7 months of steady work. Those in the know, know that this means at best 3-5 months of less than 40 hours per week, but that was figured into my equations. They make it out that this is as simple as it gets, just me and another fellow, to make it last longer, and spread out the cost for the school system (Don't these places have an annual budget?!? Don't ask me...). No problem. Only after awhile, does it become apparent that this guy was only barely competent to begin with.
Well, this tech firm (which will remain nameless, they've sued ex-employees before over such) put the new sales rep on the school. That was bad. When the school says they just want the 2 grunts, and want to use one of their admins for the project manager, he agrees. Doesn't even diplomatically suggest different. He meets with her several times, still doesn't suggest otherwise. She was, unfortunately, a total ditz that apparently passed a CNE bootcamp course a few years back. But if her technical competency was horrible, then her management skills were absolutely abysmal. This had disaster written all over it, right from the beginning.
Well, you remember how I said that it was a rollout already planned? Well, the bulk of it was for some Novell Netware software, zenworks client, a few other things that I never actually learned of. Well, the ditz CNE's boss (also a woman, hate to be sexist but...) was having a power lunch with the VAR who was pushing the nw software. And she signed the deal, I think this was for at least $90,000... only this particular software only works with NT. There was no netware equivalent. 100 grand, gone like that. I don't know what was worse, that she would buy software that she obviously had no clue about, or that there is a VAR out there that sleezy.
I go into the briefing, just the tech firm, no client people there. I ask, time and again, was this tested, was that... "Yes, everything has been tested thoroughly, we expect you to be able to do the installs 20 minutes tops, per station". We start the next week, at City Hall (the admin offices are the top 3 floors). It's a total mess. The dumbass CNE/admin decides that first morning, that she would like us to do an inventory at the same time. Hands us some copies of paperwork, standard SN, asset #, etc. We're talking close to 25,000 machines throughout the school district (though not all are in scope for this rollout, maybe only half that). What does she think, that it means anything on paper? Is she gonna do data entry herself, when we turn these in? Or is she just trying to sabotage us even more?
In the administrative offices, there is a mixture of Win95a/win95b/win98/NT4/win2k. Wide variety of machines, including some new ones being installed by school technicians. The new ones are compaq... but they have no contract with compaq at all. I'm guessing Compaq salespeople somehow knew what a mess it was, and wanted nothing to do with it. We are given nothing at all like real procedure documentation... I could write docs better than this. A single page. 1. The grammar was awful, and it basically said install this software. We ended up discovering for ourselves just what options were needed. In the offices, close to 1 in 3 machines broke badly when installing the software, even after we figured out the correct options. Bloated registries, version dll soup, user installed software, all kinds of different things. We were spending up to 2 hours per machine, and the one week at city hall turns into 3. The sales rep lets us know the client is a little bit upset, and can't understand what the problem is.
Well, we move on to the first school. God, it was horrible, when I was in school, there were 3 Apple IIe's in the science room, for a month (They got switched out to another school in the county after that). In this school, there were no less 14 computer labs, all with 20+ machines. Every other room had at least 1 and sometimes 2 machines. 95% pII +. What did they teach these kids? Well, they taught them to be secretaries and other minimum wage type things. Any number of incredibly cool things to be teaching them, but no, just word processing, maybe spreadsheets (though I could never confirm that one).
We get there, and no one has even heard there will be any work done on the computers. 2 days to straighten that out. We can do work now, but only after 2pm (but the doors lock at 4pm, have to be out by then). Most of the labs lock all the keyboards up, and no one has a key (apparently they get vandalized or stolen). Lose another 3 days there. We get permission from individual teachers to do this, before 2pm. But code red alerts happen at least twice per day. This is when even though the bell rings, and its time for a new class, the kids all have to stay in the current one. The teacher locks the door, and the sherrif and deputies go through the halls grabbing all the dope dealers. Code red's never happen at a set time, so we end up missing a progress meeting with the ditz CNE. That was bad.
Then, most of the lab machines are win95b, but haven't been reinstalled in over 4 years. Registries bloated so badly, that maybe only 15 out of 25 machines in any given lab are usable (and they've been like that for months, since the school techs refuse to support any machine not in the administrative offices). Of the 15, roughly 5 will have one set of win95 lockdown software on them, another 5 will have a different lockdown software, and 2 will have a third lockdown app. The rest have none. No one remembers or ever knew the passwords. When we do manage to disable it, if we can, it takes forever to learn just how to make it behave. But once our software install is complete, the machines become more unstable than anything I have EVER seen before. We end up rendering an entire lab unusable. We call up the ditz, she says if they still boot, proceed. They do boot up (most of the time), so we end up doing every lab in the school. We end up rendering all of them unusable. Complaints fly all over the place.
The sales rep arranges an emergency meeting with the ditz, her boss, and us. Plus another engineer from our firm, whom I question even his competency. We explain everything, including how this could only be expected when absolutely no testing was done beforehand. We explain that win95 is completely unsuitable, but even more so, when it isn't pristine (which is unbelievably generous, these had NEVER been reinstalled) you'll see these sorts of problems. We explain that the lockdown software is part of the problem, but not all of it. So they decide that the other tech will go work on another project, and that I and the engineer will go see if there is any salvaging it. We manage to go back to one of the labs we'd done. 2 hours there were enough to convince him (I winced at first, the first machine he turned on had almost no probelms). Every machine would BSOD. It would do the windows partial freezes, the buzzing mouse, all your favorite win95 problems. Some of the machines died at bootup, conflicts with the lockout software. He agrees that we can't go on as we had.
So, we make a proposal to spend a few weeks building install images and doing testing. We'll install 95 back on them, since that's all there is for licenses, but it will be pristine, each machine will have an identical image build. We'll standardize on one lockdown app, with documented passwords, etc.
Offer rejected. Too much embarrassment, I think that we made it clear that we had a clue, and all along knew how retarded they were. Also had a little bit to do with their strict no reinstall policy (I'm not making that up). Seems that at least 3 other dept's had claims on certain machines/labs, donations and what not. And their was enough inter-departmental rivalry, that IT wouldn't reinstall OS's, mostly because each dept wanted the same apps installed that were on the machines when donated. Which is utterly ridiculous, since M$ office was all that was ever used.
I got 6 week's worth of paychecks out of it. For trashing an entire school's worth of computers. Which, as far as I know, are still not functioning. Not that anyone cares. I do in a way, but have zero control over any of it. Makes me sick that my tax dollars pay for it.
Solution for the original slashdt asker:
Find another job in a non-k12 setting.
Nothing can fix your situation. You may be the only one there qualified to teach anything having to do with computers, and you are not a teacher. The computers are a waste of tax dollars in their current capacity, and are only ever used for the most outrageous abuses. The shit will hit the fan, though maybe not for awhile yet, and you do not want to be there when it does.