Slashdot Mirror

← Back to Stories (view on slashdot.org)

Solution For College's Bad Network Policy?

Posted by timothy on from the must-be-monoculture-compatible dept.

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

7 of 699 comments (clear)

  1. Linux by Timmmm · · Score: 5, Interesting

    Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.

  2. Use a VM by Anonymous Coward · · Score: 5, Interesting

    If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.

  3. My Solution by Adam+Zweimiller · · Score: 5, Interesting

    When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.

    --
    mmm...muffins
  4. You're not as interesting as you think you are by Anonymous Coward · · Score: 5, Interesting

    I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.

    So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.

    You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.

  5. Re:No. by finalfrog · · Score: 5, Interesting

    My college doesn't require us to install anything to access the network. Of course that's mainly for two reasons: 1. If you're going to Harvey Mudd, you probably have mastered the basics and possibly several of the upper reaches of computer and internet security and those who haven't usually learn fast from their peers that do. 2. Honor Code. This is actually one of the basic tenets of Mudd, not just of computer usage, and it basically means "Use common sense and when that fails report yourself." It sounds crazy I know. You'd think it'd cause a breakdown of justice and total anarchy because no one would obey the rules which might very well happen on many larger campuses. But when you consider the kind of people that attend Mudd and its small size, it actually works darn well. Hell, it's worked for over 50 years and Mudd still turns out incredibly bright students either in spite of or because of the Honor Code depending on your view point. People actually do report themselves when they cause problems and there is a student run judiciary board for those who don't which runs quite efficiently. All in all, the policy causes less stress and anxiety for both the administration and the students than invasive strategies like the one described in the article.

  6. Re:That's insane. by izomiac · · Score: 5, Interesting

    Lying about your OS might not work. My university used a similar system and it definitely used OS fingerprinting techniques. I basically was dual-booting Windows and the BeOS and used Linux in a VM. In exact, one week intervals I'd be forced to log in (all outbound traffic blocked, DNS resolved everything to their internal HTTPS server, all HTTP was redirected to a captive portal page, screwing up caching of SSL certificates and DNS in the process of course). The page used the User Agent string to determine whether to show a log-in form or to merely insist you download "Cisco Clean Access". But, changing one's User Agent still didn't allow logging in, that's where the OS fingerprinting came into play.

    That was the only part that used fingerprinting though. I found that I could log in from the BeOS or from Linux in a VM, so that's what I always did. Assuming the programmers behind that system are competent, I'd think they've patched that hole by now. People using Cisco Clean Access never saw that page, so I doubt they always got downloads and online games disconnected on weekly intervals. Anyway, I was using a heavily nLited and tweaked version of XP, so I knew it was secured (yes, I double checked with antivirus scans and blackhat tools every now and then), but Cisco Clean Access didn't (it apparently couldn't determine the patch status of some windows component I'd removed). I could log in with another OS and simply reboot to use Windows though. CCA was kinda a pain for normal users as well. My roommate came in with a decently updated Vista machine and basic computer usage skills (he could download and install software easily enough). I timed him, it took him six hours to clear all of CCA's requirements.

    Oh, amusingly enough I complained about the system before it was fully implemented, asking about how they expected game consoles to log in, or how dual-boot users like myself would be affected. The IT person I talked to had no idea about dual-booters, but stated that game consoles weren't allowed on the network because they can't run an antivirus. After I pointed out that it's almost unheard of for such devices to be infected (and a few reasons why), he replied that he'd seen it happen in his personal experience, and provided a link of "such a case" (it was to a security bulletin for law enforcement saying that modded Xboxes might contain hacking tools). I kinda chuckled when I saw the system-wide e-mail a week after implementation saying that policy had been reversed, and that IT would whitelist game console MAC addresses upon request.

  7. Re:Solution For College's Bad Network Policy? by MacColossus · · Score: 5, Interesting

    I work in the IT department of a college. We started implementing more network security after blaster and welchia on student machines brought down the entire campus network. We segregated the dorm to a different physical network from the academic network. We bought antivirus for every student so they would no longer have a reason not to have it. Turned off cross talk between ports on the student side so they wouldn't infect each other over the network. On the Academic side we do require Cisco Clean Access agent to use the campus wireless to access intranet resources. It checks to see if Antivirus is installed and relatively up to date. It also checks for OS security patches. If you don't want to install the Clean Access agent, you don't have to. We provide guest access for those that don't. They however have access to no intranet resources and are limited to 256k. We don't scan for files, we don't do key logging. The only way I see illegal filesharing is when they are on the same subnet as me and I happen to have Itunes open. Limewire, Frostwire and several other leet virus vectors that students run use multicast dns (bon jour) to broadcast "susie jo's limewire tunes" which shows up under shared in Itunes. Only when an idiot insists upon broadcasting and sticking this in my face do I open a multicast dns browser to get the IP. I then go into the Cisco Clean Access Manager to see who has that ip address (Cisco is tied into our directory services.) I then go to their Facebook profile which is always wide open and call the cell number they have posted there publicly and politely request they discontinue the activity pursuant to the campus network policy as published in the student handbook. In the very rare circumstance they actually were smart enough to not leave Facebook open to the world I send them a polite email.