Solution For College's Bad Network Policy?

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

That's insane.

[KingSkippus]

Dude, I don't know what to say, that's insane. The only suggestion I have is to either not use the Internet on your personal computer or find another university to go to. sigh... Looks like along with all the other stuff that determines what school a kid goes to, we're going to have to add "how screwed up is your Internet access policy?" to the list.

Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!

Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.

As a practical matter, you could just call up their IT department and tell them that you have a Linux box, even if you have Windows, and that your machine doesn't run their "Client Security Agent." Whatever they tell you to do to get on the network, just do that on your Windows machine and be done with it. If they tell you that it can't be done, seriously. Go somewhere else. If this university is that stupid, you shouldn't particularly want a diploma from there anyway.

If you do call them up and ask about Macs and Linux machines, let us know what they say.

Re:That's insane.

[Idiot+with+a+gun]

I'm a tech support (ResNet, CMU has it too) at a different university that has a similar "Client Security Agent." I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire). If anyone fails these, they are instructed to uninstall limewire, update anti-virus, whatever, and rescan. We don't prosecute based off of any data, but it's more of a prevention system to avoid any DMCA notices.

That being said, this is for windows only. Mac and Linux are only single time scans (for what, I do not know), and after that your MAC is white listed with your ID. The beauty is that once registered, it's MAC specific, not OS. I should note that our provider is promising a Client Security Agent for Mac soon, but I doubt a Linux one is coming.

Re:That's insane.

[Idiot+with+a+gun]

Poor decision. Once you register as windows, it'll check every 2 weeks for a CSA scan. If you install windows, register, then switch OS's, in two weeks it'll go "Hey! You're a windows box, where is your CSA?" and drop you off the network.

Mod Parent Up Please! :)

[gavron]

Run Linux. That's the answer. The silly Windows agent won't run on it, and your files can even be protected through filesystem encryption, and safe from magically being shared with spyware writers, botnet managers, and spam sources.

E

Re:Mod Parent Up Please! :)

[binarylarry]

Yep and you could run windows in a virtual machine with NAT setup and the client installed. That way, they'd get to scan "your machine" but wouldn't be able to access anything on the Linux side.

Re:Mod Parent Up Please! :)

[solafide]

Last time I experienced this sort of stupidity, the program was a proxy/filter, and the solution to Linux was 'Windows/Macs only on campus.' Best of luck.

I had the same problem

[Xocet_00]

We were required to have a "Cisco Clean Access Agent" installed on our machines. There were two options available for me, and I ended up going with the second.

1) The clean access agent only actually requires that you "authenticate" as clean to the network about once every two weeks. I installed a copy of Windows on a small partition at the end of my drive, put the clean access agent on it and authenticated myself. Whenever I was "cut off" from the network, I would reboot into the other (isolated) Windows partition (make sure your actual in-use partitions aren't mounted), do a scan to regain access and then reboot again. Worked reasonably well.

2) Because our network was so slow, I eventually decided that it wasn't worth the trouble. In the residence I was in the phones were provided by the local phone company and the cable was provided by the local cable company. It was a bit of a grey area regarding the policies in place in the residence, but I was able to have cable internet installed directly into my room. Perhaps you can do the same?

Re:My Solution

[lorenlal]

McAfee? Wow.

I happen to do a little work for a local in a town that some of us are familiar with. She happens to be involved with the local university who also uses McAfee as their supported antivirus solution. I got called in a panic by this person because her system was crazy infected. It turned out that the infection disabled the McAfee framework service (which can't be started in safe mode) and totally owned her laptop.

The reason? The updates stopped working. I opted to put AVG free on there asked her to try it out, and if she wanted to we could look into purchasing the more complete suite if she wanted.

Point of the story? I'm rather upset that CMU, or other schools would *force* a particular AV solution. I'm more upset that they force down one that has, IMHO, a critical flaw in design. Namely, you can't update, install, or uninstall the scanner in safe mode (yes, safe mode with networking). It just sets up too easily for a massive infection. Fortunately, the policy of the University I mentioned earlier did not have restrictions on AV, so this was still acceptable.

I don't know what deal McAfee has with pretty much everyone that provides AV to "non-commercial" users... but I find it terrible, resource intensive, and just too easy to knock out.

Waaah.

[Idiot+with+a+gun]

Look, I'm a fan of net freedom just like you. But let's be honest here. It is the university's network, even if you are semi-footing the bill, and they get to decide network policy rules. It's mostly for prevention, if their students are constantly getting DMCA notices, the university might get into trouble. So of course they block limewire, not like it has a legitimate use anyways. If there's a massive outbreak of viruses on their network, their tech supports (people like me) have to clean up, so of course we force students to have up to date antivirus software, and up to date operating systems, its the method of prevention available.

Simply put, their network, their rules. When you're paying, you can decide the rules you follow, and deal with the consequences if you break some other major rules (laws). If you don't like their rules, complain to them, or go elsewhere. Not like you're forced to stay. Attempting to side-step the rules (especially publicly on slashdot, you know someone in the IT department at your university reads this site) is a very bad plan. Unless if you happen to be a random genius at network security (and if you're asking us, you aren't), you will not outsmart your school's IT department. This isn't high school anymore, where renaming forbidden .exe's, or simple .bat scripts would bypass the network policies.

Re:Linux

[prestomation]

My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.

Turns out, a couple weeks in and they completely dropped the policy.

On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.

Re:That's STILL insane.

[Anubis+IV]

At least at my university (about 45K students), they get around the privilege vs. requirement thing by providing ample labs that anyone can use with all of the software that is necessary for your classes. As a result, access to a network connection from your dorm room IS considered a privilege and it CAN be revoked at any time since the university is still providing you with all of the resources you need in order to complete your classes. Granted, they may not be nearly as convenient, but they're what you need.

So, I would argue that they do, in fact, have every right to require it of you. You're using their network in a way that they don't have explicit control over, when they are providing you otherwise with the necessary resources for your classes. Sounds like a privilege to me, and if you want to use it, you need to play by their rules. Not that I personally like that idea, of course, but it's what I see as being the reality of the situation.

Also, at least at my school, the CSA came into place very shortly after one of those major worm outbreaks in 2002 or 2003. I remember hearing that around 95% of the network traffic was being generated by the worm, and that the entire university was basically suffering the effects of a DoS attack for the better part of a month since very few of the students' PCs were protected by proper AV and anti-malware software at that time. From then on, practicality alone dictated that they forced the students to install AV software and that they routinely ensure that it's still there.

Re:Don't use their network?

Most schools have similar software in place, Tipically, Cisco Clean Access: http://www.google.com/search?q=clean+access+inurl%3Aedu

When I was in the dorms at my school, a guy maintained an InstallVise installer, which contained the proper registry keys to change window's MTU, and
a greasemoney script which spoofed firefox's user agent and platform, so windows machines looked to be running linux.

After seeing someone with a similar solution get kicked out of another school, being published on slashdot, and knowledge that my school's IT dept was searching
for the maintainer, he stopped.

Clean Access now uses a java jar, for the linux platform. If your school's client has something similar in place for linux users, I suggest that you find a Computer Science student,
and ask them to decompile the jar, using the DJ Java Decompiler, and create a greasemoney script that uses a similar method of generating a session key. You'd also probably need
the special registry keys, which can be found in the source code for sec_cloak.c, which you should be able to find on google.

Hope I could help.

Re:Linux

[wstrucke]

My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.

As an IT employee at Ohio State, I can assure you that there is more of this in the pipeline since it's mandated by the Board of Trustees.

I can't see comparing what is going on at OSU with what the OP reports at CMU -- Ohio State's efforts to lock down the network and restricted data are quite comprehensive and IT staff, like you, are concerned that it's done properly. Mac/Linux support is on the way -- most vendors do not support it so it's quite difficult for the University to support it. The scanners they run on your computer are not there to look at your personal files, track down copyright infringement, or anything else you might be worried about -- they simply look for OS/software patches and run an anti-virus/malware scan. If you don't run the scan with the agent, you will not have any network access. If you take some of the suggestions here and bypass the security agent, you are violating the AUP and, if caught, could face academic misconduct charges.

I can assure you that the University's IT office is underfunded enough that even if they wanted to go out of their way to scan your computer for anything else (they do not), they would not be able to.

On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.

This isn't magic -- they run typical network vulnerability scanners and block you if a virus or bot responds from your IP. DHCP and switch info tells them your mac address.

2 computer solution... the better one

[tanveer1979]

Get a dirt cheap obsolete laptop. This will connect you to the college network. Install their application on it.
Then just enable internet connection sharing, and connect your good laptop. Simple!

If they are into packet sniffing, just use ssh tunnel for the traffic

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Solution For College's Bad Network Policy?

[Jah-Wren+Ryel]

Maybe VMware Thinapp in Sandbox mode?

Or just give them a full-blown VM with an installation of XP and nothing else.
Set up the physical network interface so that only the VM uses it, and use virtual interfaces to route from the host OS to the VM and then out to the network.
You can run a NAT firewall (XP's connection sharing might be good enough) on the VM.

If you are feeling ultra-paranoid you could install typical applications in there too, like MS Office, etc. So if they look at everything on the VM it will look like a regular college-kid computer, but unless they are really smart they will never know that the "real" computer is just using the VM to NAT out to their network.