Solution For College's Bad Network Policy?

DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."

Solution For College's Bad Network Policy?

[John+Hasler]

A different college.

Re:Solution For College's Bad Network Policy?

Set up a VPN server using OpenVPN on a remote site and then run the OpenVPN client on your PC. All traffic will then be encrypted on the college network.

Using a virtual machine and TrueCrypt can also save you from additional headaches.

This assumes that you at least have sufficient rights on the client PC.

Re:Solution For College's Bad Network Policy?

[MacColossus]

I work in the IT department of a college. We started implementing more network security after blaster and welchia on student machines brought down the entire campus network. We segregated the dorm to a different physical network from the academic network. We bought antivirus for every student so they would no longer have a reason not to have it. Turned off cross talk between ports on the student side so they wouldn't infect each other over the network. On the Academic side we do require Cisco Clean Access agent to use the campus wireless to access intranet resources. It checks to see if Antivirus is installed and relatively up to date. It also checks for OS security patches. If you don't want to install the Clean Access agent, you don't have to. We provide guest access for those that don't. They however have access to no intranet resources and are limited to 256k. We don't scan for files, we don't do key logging. The only way I see illegal filesharing is when they are on the same subnet as me and I happen to have Itunes open. Limewire, Frostwire and several other leet virus vectors that students run use multicast dns (bon jour) to broadcast "susie jo's limewire tunes" which shows up under shared in Itunes. Only when an idiot insists upon broadcasting and sticking this in my face do I open a multicast dns browser to get the IP. I then go into the Cisco Clean Access Manager to see who has that ip address (Cisco is tied into our directory services.) I then go to their Facebook profile which is always wide open and call the cell number they have posted there publicly and politely request they discontinue the activity pursuant to the campus network policy as published in the student handbook. In the very rare circumstance they actually were smart enough to not leave Facebook open to the world I send them a polite email.

Linux

[Timmmm]

Just tell them you use Linux, even if you don't. They'll probably be able to add you to a white list.

Re:Linux

[wstrucke]

My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.

As an IT employee at Ohio State, I can assure you that there is more of this in the pipeline since it's mandated by the Board of Trustees.

I can't see comparing what is going on at OSU with what the OP reports at CMU -- Ohio State's efforts to lock down the network and restricted data are quite comprehensive and IT staff, like you, are concerned that it's done properly. Mac/Linux support is on the way -- most vendors do not support it so it's quite difficult for the University to support it. The scanners they run on your computer are not there to look at your personal files, track down copyright infringement, or anything else you might be worried about -- they simply look for OS/software patches and run an anti-virus/malware scan. If you don't run the scan with the agent, you will not have any network access. If you take some of the suggestions here and bypass the security agent, you are violating the AUP and, if caught, could face academic misconduct charges.

I can assure you that the University's IT office is underfunded enough that even if they wanted to go out of their way to scan your computer for anything else (they do not), they would not be able to.

On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.

This isn't magic -- they run typical network vulnerability scanners and block you if a virus or bot responds from your IP. DHCP and switch info tells them your mac address.

Use a VM

If they want you to install the client security agent, fine - install it in a VM under VMWare or VirtualBox. Either that, or make sure you have a firewall running and explicitly deny any traffic out from it.

That's insane.

[KingSkippus]

Dude, I don't know what to say, that's insane. The only suggestion I have is to either not use the Internet on your personal computer or find another university to go to. sigh... Looks like along with all the other stuff that determines what school a kid goes to, we're going to have to add "how screwed up is your Internet access policy?" to the list.

Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!

Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.

As a practical matter, you could just call up their IT department and tell them that you have a Linux box, even if you have Windows, and that your machine doesn't run their "Client Security Agent." Whatever they tell you to do to get on the network, just do that on your Windows machine and be done with it. If they tell you that it can't be done, seriously. Go somewhere else. If this university is that stupid, you shouldn't particularly want a diploma from there anyway.

If you do call them up and ask about Macs and Linux machines, let us know what they say.

Re:That's insane.

[Idiot+with+a+gun]

I'm a tech support (ResNet, CMU has it too) at a different university that has a similar "Client Security Agent." I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire). If anyone fails these, they are instructed to uninstall limewire, update anti-virus, whatever, and rescan. We don't prosecute based off of any data, but it's more of a prevention system to avoid any DMCA notices.

That being said, this is for windows only. Mac and Linux are only single time scans (for what, I do not know), and after that your MAC is white listed with your ID. The beauty is that once registered, it's MAC specific, not OS. I should note that our provider is promising a Client Security Agent for Mac soon, but I doubt a Linux one is coming.

Re:That's insane.

[izomiac]

Lying about your OS might not work. My university used a similar system and it definitely used OS fingerprinting techniques. I basically was dual-booting Windows and the BeOS and used Linux in a VM. In exact, one week intervals I'd be forced to log in (all outbound traffic blocked, DNS resolved everything to their internal HTTPS server, all HTTP was redirected to a captive portal page, screwing up caching of SSL certificates and DNS in the process of course). The page used the User Agent string to determine whether to show a log-in form or to merely insist you download "Cisco Clean Access". But, changing one's User Agent still didn't allow logging in, that's where the OS fingerprinting came into play.

That was the only part that used fingerprinting though. I found that I could log in from the BeOS or from Linux in a VM, so that's what I always did. Assuming the programmers behind that system are competent, I'd think they've patched that hole by now. People using Cisco Clean Access never saw that page, so I doubt they always got downloads and online games disconnected on weekly intervals. Anyway, I was using a heavily nLited and tweaked version of XP, so I knew it was secured (yes, I double checked with antivirus scans and blackhat tools every now and then), but Cisco Clean Access didn't (it apparently couldn't determine the patch status of some windows component I'd removed). I could log in with another OS and simply reboot to use Windows though. CCA was kinda a pain for normal users as well. My roommate came in with a decently updated Vista machine and basic computer usage skills (he could download and install software easily enough). I timed him, it took him six hours to clear all of CCA's requirements.

Oh, amusingly enough I complained about the system before it was fully implemented, asking about how they expected game consoles to log in, or how dual-boot users like myself would be affected. The IT person I talked to had no idea about dual-booters, but stated that game consoles weren't allowed on the network because they can't run an antivirus. After I pointed out that it's almost unheard of for such devices to be infected (and a few reasons why), he replied that he'd seen it happen in his personal experience, and provided a link of "such a case" (it was to a security bulletin for law enforcement saying that modded Xboxes might contain hacking tools). I kinda chuckled when I saw the system-wide e-mail a week after implementation saying that policy had been reversed, and that IT would whitelist game console MAC addresses upon request.

Mod Parent Up Please! :)

[gavron]

Run Linux. That's the answer. The silly Windows agent won't run on it, and your files can even be protected through filesystem encryption, and safe from magically being shared with spyware writers, botnet managers, and spam sources.

E

Re:Mod Parent Up Please! :)

[binarylarry]

Yep and you could run windows in a virtual machine with NAT setup and the client installed. That way, they'd get to scan "your machine" but wouldn't be able to access anything on the Linux side.

Re:Mod Parent Up Please! :)

[Anpheus]

Or you could do the exact same thing with Windows if you don't run programs willy nilly and use a more secure (or at least, minority market share) browser.

And you could use filesystem encryption and run the Client Security Agent under a low-privilege account, which you could make not capable of seeing certain folders on your hard drive. Just make it able to scan a couple token Program Files folders, its own folder in %appdata%, and %windir% and you'll probably be fine.

Dealing with idiotic, forced software is a pain no matter what your OS is.

Re:Mod Parent Up Please! :)

[Jurily]

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

-- Theo de Raadt

My Solution

[Adam+Zweimiller]

When I was at the University of SC in 2004, they required you to install the Cisco Clean Access software which checked to make sure you were running the school provided AV and had all your windows updates among other things. I hated the school AV (mcafee) because it constantly had false positives on items on my computer and would delete without prompting. It gave no option to quarantine, ignore, etc...just delete. I noticed that if you didn't have the Cisco Clean Access software installed and tried to browse, you were given a web portal login for your school network credentials, very similar to the actual Cisco Win32 software. After logging in you were prompted to download the Cisco software via the web portal along with McAfee and whatever else. I noticed in the school policy that Mac's and Linux clients were exempt. I booted OpenSuse, was greeted by the same web portal, but when I logged in, it told me I had a 7 day lease rather than telling me to download the Cisco crap. I went back to XP, downloaded User Agent Switcher for Firefox and faked my user agent to linux when logging into the web portal. It told me I had a 7 day lease and I was able to switch back my default FF user agent until I was prompted to login 7 days later. User Agent Switcher lets you save presets in a menu so switching is easy. I don't know if your school is setup the same way but you might want to try it. I was really surprised that with all the money and manpower that my school put into implementing all these policies that it was defeated by a first year student with a simple Firefox extension. Good luck, I really do feel your pain.

Whoa what?

[IICV]

From the first link:

The contents of all storage media associated with OIT facilities may be considered property of CMU unless the contents are licensed software, licensed databases (e.g., InfoShare), intellectual property owned by others, or protected by CMU's Intellectual Property Rights Policy. The university has the right of access to the contents at any time for any legitimate purpose including moving or deleting files to preserve system security and performance, or examining files when there is a legitimate "need to know."

"If you use our network, we own what's on your hard drives. Thanks!"

You're not as interesting as you think you are

I'm one of the evil characters involved with running a college campus network. Let me assure you that I couldn't give a rat's ass about what files you have or what's in your email or anything about you, really. All I care about is keeping the network free enough from malware that it can still function. It's always a matter of playing the percentages - if more than about 5% of the machines on the net are infected and misbehaving, the resulting traffic makes the network become essentially unusable for everyone. Students scream. Faculty scream. Then the university president screams at me.

So all I want is to make sure *enough* people are clean. If you're clever enough, you can get around the restrictions. But there aren't *that* many clever people, and those people usually aren't getting infected with stuff anyway, so I don't care about the outliers.

You're not a person to me. You're a data point. Don't be an interesting one and we'll all get along just fine.

join the computer club

[snsh]

You're at college. Get involved. Stop referring to IT/IS as "them" and instead make it "us". Participate with the student computer club, or the professional IT/IS department, and then you'll have a voice in campus policies, and after you pick up some credibility, you'll get the access you need to do your own stuff.

This is the point of being at college, after all.

Re:No.

[finalfrog]

My college doesn't require us to install anything to access the network. Of course that's mainly for two reasons: 1. If you're going to Harvey Mudd, you probably have mastered the basics and possibly several of the upper reaches of computer and internet security and those who haven't usually learn fast from their peers that do. 2. Honor Code. This is actually one of the basic tenets of Mudd, not just of computer usage, and it basically means "Use common sense and when that fails report yourself." It sounds crazy I know. You'd think it'd cause a breakdown of justice and total anarchy because no one would obey the rules which might very well happen on many larger campuses. But when you consider the kind of people that attend Mudd and its small size, it actually works darn well. Hell, it's worked for over 50 years and Mudd still turns out incredibly bright students either in spite of or because of the Honor Code depending on your view point. People actually do report themselves when they cause problems and there is a student run judiciary board for those who don't which runs quite efficiently. All in all, the policy causes less stress and anxiety for both the administration and the students than invasive strategies like the one described in the article.

Waaah.

[Idiot+with+a+gun]

Look, I'm a fan of net freedom just like you. But let's be honest here. It is the university's network, even if you are semi-footing the bill, and they get to decide network policy rules. It's mostly for prevention, if their students are constantly getting DMCA notices, the university might get into trouble. So of course they block limewire, not like it has a legitimate use anyways. If there's a massive outbreak of viruses on their network, their tech supports (people like me) have to clean up, so of course we force students to have up to date antivirus software, and up to date operating systems, its the method of prevention available.

Simply put, their network, their rules. When you're paying, you can decide the rules you follow, and deal with the consequences if you break some other major rules (laws). If you don't like their rules, complain to them, or go elsewhere. Not like you're forced to stay. Attempting to side-step the rules (especially publicly on slashdot, you know someone in the IT department at your university reads this site) is a very bad plan. Unless if you happen to be a random genius at network security (and if you're asking us, you aren't), you will not outsmart your school's IT department. This isn't high school anymore, where renaming forbidden .exe's, or simple .bat scripts would bypass the network policies.

Re:That's STILL insane.

[Malenx]

You seem to be confused. You are paying the school money for the ability to attend their classes. You are paying the school for the ability to use their network.

In no way do you have merit to dictate those terms. If you don't like it, then don't attend or try to convince them to change those terms. Either way, "Adults" should understand this is a contract, and you have very little negotiating power.

Re:That's STILL insane.

But again, it is my machine, and it is my money that is paying for that Internet connection. Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Dude, your money only pays for a very small part of the school's network. Do you think they should let you piss in the university president's office because it is your penis, and it is your money that pays for that office? These measures are designed to prevent the school from getting sued and to prevent network users from spreading viruses to other users. It is their network, and they can require you to meet some basic security requirements if you want to use the network.

Re:That's STILL insane.

[uvsc_wolverine]

I'm not sure who provides their CSA, but ours only checks for antivirus, antivirus updates, windows updates, and common P2P programs (usually limewire).

So? I don't care if it makes your dorm room smell like a fresh spring breeze. If I don't want it, then you have no right to demand that I have it.

Actually...they do. Most Universities (like the one I work for) have an acceptable use policy. Agreement to the acceptable use policy is part of the school giving you permission to use THEIR network resources. You may have paid tuition, but the school's network does not belong to you. It belongs to the school, and if the school's policy says that you have to have a screensaver featuring fluffy bunnies in order to access their network then tough shit if you don't like fluffy bunnies.

If you were a private company, then maybe I can understand, it's your network, you have the right to set the rules.

Ok.

Even if you're a private university, though, I most certainly do not understand, because again, MY tuition and fees pay for that network, and Internet access is pretty much required to complete just about any degree these days. Deny it, and you might as well tell a student that he can't have any textbooks.

If you don't like it they can admit someone else.

Not to mention that it sounds like you've fallen into the same trap that the RIAA/MPAA has fallen into. "Because some people use Limewire for illegal purposes, since you have it installed, you must be using it for illegal purposes." Sorry bub, but the whole "guilty until proven innocent" thing doesn't fly very well with me.

I do agree with you here. At the university I'm at we don't do the "guilty until proven innocent" thing. We got a little more proactive and setup a layer 7 firewall on our network that blocks all P2P traffic. Of course there are ways around it via VPNs and proxies, but the installation of that firewall resulted in about a 60% reduction in our network resources and an overall speed increase for the entire campus (we have about 3000 employees and 25000 students).

If you have some reasonable suspicion based on tangible evidence that my machine is spewing out malware or otherwise violating policies designed to protect the university or its network, then by all means, shut off it's connection, show me what you've got, and we'll deal with it like adults.

We do this in addition to the Security agent scans checking for current anti-virus and Windows updates (Mac, Linux, and wi-fi based cell phones are automatically exempt).

I wouldn't want my machine, if infected, to convey malware any more than you do. If you want to make such a "Client Security Agent" available for me to use, then thanks, I'll consider it.

But again, it is my machine, and it is my money that is paying for that Internet connection.

Yep, and thank you for your money. It is being used to pay for OUR network and OUR Internet connection. If YOU want to use YOUR machine on OUR wireless network (that we have graciously provided you with - we don't have to give you an Internet connection) you'd damn well better install the security agent or you can wait in line to use a computer lab where some idiot making $9.00/hour from your tuition (thank you again) can watch everything you're doing on that computer.

Accessing it is not a privilege that the university has graciously given to me for free, it is a paid-for service, and you'd better have a damn good reason for taking my money and then denying it to me. "You might get infected or break copyright law" is not a valid excuse.

Actually it is a privilege you've been given for free even though you paid tuition and student fees. I can only speak for the institution where I am em

Re:Don't use their network?

Most schools have similar software in place, Tipically, Cisco Clean Access: http://www.google.com/search?q=clean+access+inurl%3Aedu

When I was in the dorms at my school, a guy maintained an InstallVise installer, which contained the proper registry keys to change window's MTU, and
a greasemoney script which spoofed firefox's user agent and platform, so windows machines looked to be running linux.

After seeing someone with a similar solution get kicked out of another school, being published on slashdot, and knowledge that my school's IT dept was searching
for the maintainer, he stopped.

Clean Access now uses a java jar, for the linux platform. If your school's client has something similar in place for linux users, I suggest that you find a Computer Science student,
and ask them to decompile the jar, using the DJ Java Decompiler, and create a greasemoney script that uses a similar method of generating a session key. You'd also probably need
the special registry keys, which can be found in the source code for sec_cloak.c, which you should be able to find on google.

Hope I could help.

Re:Can't tether there.

[Hognoxious]

Where is this University?

You mean Central Michigan University? It's in Southern Beijing, as the fucking name implies.