I was assuming that this kind of encryption would make sense for a number of reasons and therefore wouldn't be blocked
Any protocol that has a direct negative impact on the integrity of the campus infrastructure will be blocked irregardless of how "sensible" it may seem to you .
As as I security admin I can truly say, if I dont control the creation, management and logging of what goes into one tunnel endpoint you will not get it. Try subverting someother protocol to bypass policy, and you wont get that either, and when I collect the evidence of said subversion (Which I can guarantee will be in flagrant breach of one of the catch all clauses in any AUP I draft), I will quite happily haul your carcass up before HR/Whoever to get your skinny little ass kicked out of the premises "pour encourager les autres".
You Yanks with your self indulgent sense of "entitlement" just dont get it. Managed deny everything policies for internet access like these have implemented as standard in the UK and throughout various parts of Europe for years. Its not just in the commercial environment either, as posters from various.ac.uk addresses have testified here.
Direct net access for end user from their desktops is NOT a constitutionally guaranteed right. That means NO connectivity for SSH across the perimeter, VPN, Mail Servers, P2P or anything else from your dorm desktop.
E.g when you are playing in my back yard, you WILL not get ping/traceroute outside the perimeter. You as an end user can whinge all you want, but 99 times out of 100 it's the judgement of yours truly as the security admin, management will defer to at the end of the day, and ultimately its my arse on the line when something goes pearshaped due to a breach. Not you the end user
Now if you can produce and document a clear educational/business case for having said protocols and get qualified backing from campus staff. Then time and effort MAY (& I use the word "May" here), be expended on developing a secure solution to delivering that set of secure services.
Its strange how its only now that institutions in the US are waking up to the very costly chaos caused by allowing the free for all of unmanged net access. Money wasted providing band-aid fixes to that problem would be much better spent investing in the 90% of students who are not there taking the piss.
Now you can choose to break Godwins law when you read my sentiments above and alledge I was born in 1889 in Austria. Welcome to the future Chuck, thats how its gonna be. You will see more of the same when you start working in the real work also.
I'd agree wholeheartedly, but it suprises me that some sites mentioned are daft enough to implement flat rate caps on parts of their network without implementing a simple set of QoS rules in parallel to aid the 90% who dont waste bandwidth and resources by running P2P.
If one is not going to outlaw P2P, then they should up the priority of browser & other general campus related services whilst reducing whats left to a very low priority.
90% of the available resource should be for the almost exclusive use of the 90% who play by the rules, needs of the many and all that stuff.
Apparently, you havent read what I have been writing.
Given your prior level of abject cluelessness demonstrated previously I am not suprised. How pray tell are you to establish your much vaunted 'ipsec'tunnel across the perimeter when both the firewalls and inside/outside screening routers are dropping udp/500, GRE & ip protocols 50/51 smartarse ?
No security admin with even a smidgen of competence will allow vpn/gre/pptp/whatever tunnel to traverse perimeter security from the LAN to the internet or vice versa. One might as well throw the damn firewalls away otherwise.
Especially considering how trivial it is to split something like a PPTP tunnel and now have a direct ROUTED connection from a foreign network into the LAN.
Tunnels in any properly designed environment are only allowed to start & terminate in a DMZ, or directly on the firewall where access to/from such tunnels is strictly regulated.
Are there any ways to get network services to listen to us?
Easy, drop the dime anonymously on them to the RIAA and some large record companies, telling them about the horrendous copyright violations you have witnessed.
When the head of networks sees the Tour Bus full of RIAA ambulance chasers enter the car park, you see him running for the internet router armed with a fireaxe.
Oh yeah thats gonna work, with what ? A Maglite ?
Who/what is going to pay for the Cisco 12000s or Juniper M series to hang at either end ? Where are the $$$$ for the peering ?
If you can't tell an email from britney.mp3 because encrypted both look like static
You are making the silly assumption that there is no way to determine what makes a valid https connection, and whats a P2P session wrapped up in SSL. You dont have to.
There are a number of companies making a nice earner with subsciption based services for content filtering. Disguised P2P/instant messaging sites based on https will be no different. Filtered at the perimeter by the nice farm of squid boxes, netcache servers/whatever. One or two may get through, only to get stopped on the fly by some simple traffic monitoring or by the nightly update of the banned list.
Any network dept using a linux box as a campus backbone router would want their heads collectively examined. Thats competition Cisco dont have to worry about.
There's no way to stop filesharing except at the endpoints of communication.
How clueless can you be ? Where did you get that little gem ? Did you learn that from your secret CCIE decoder ring in every pack of Wheetos ?
Unless the users stop wanting to use filesharing
Yeah right. Say for example I am the campus network manager, I manage the internal routers, I define the security policy on the perimeter firewall infrastructure. You're telling me that I cannot possibly stop users from running P2P across my perimeter and out to the internet ? How precisely, I would just LOVE to know how.
If the site policy is an implicit denial of outbound connectivity except for managed services, how pray tell is some weed smoking wannbe who thinks he is 31337 going to get past that ?
NOW GO AWAY and read some stevens, and some cisco press and some other useful items such as phoneboys recently launched tome and then you just might be in a position to make a useful contribution.
And a really sensible net admin would have that port 80 connection WCCP/transparently proxied with some content filtering/checking to terminate malicious use of that also.
40 Meg/Sec for 800 students ? Damn thats bigger than an E3, UK prices for such a pipe would be hitting $40k per month.
I've managed 1000+ user company connections on a single E1 (2 meg), that worked just fine for mail/web/whatever and still wasnt approaching 30% sustained utilisation.
Time for a big usage policy change on that network. A simple one at that. Direct net access by end user (non campus owned and managed) equipment is terminated.
All outbound traffic is proxied, authenticated, filtered and content checked. P2P outlawed on penalty of explusion for the 1st offence.
Oh stop talking bollocks you prat! Typical spoilt middle class child mentality. Who/What pray tell do you think pays for your illicit file sharing idiot?
What proof do you need ? The bloke has just told you, when he throttled the dorm networks. Fat pipe utilisation plummeted.
I am quite sure he didnt just target that particular network at random. Its trivial on any managed network infrastructure to quickly determine whats chewing up bandwidth.
Yes idiot, it would also make the owners of the campus infrastructure responsible and therefore liable for copyrighted material exchanged through such a facility.
Plausible deniability is an defence when its a bytestream crossing a network. Impossible when its on college owned and managed P2P server.
Never mind the ethical/politcal considerations of some of the material transferred.
Excellent solution. Easy to implement also using QoS on the inside routers.
I just love those idiots who think its their god given constitutional right to chew up all available bandwidth on what is after all a grace and favour facility.
On any network I've ever secured, End users wouldnt get direct internet access point blank to begin with.
What policitcally correct idiot modded this as Offtopic ? Its bang on the spot.
In the UK we have to endure a popular culture that lionises illiterate thugs who masquerade as soccer players on 50 grand/week.
But with the grossest of hypocrisy calls a trader who may have earned the bank 50m worth of business "greedy", when the bank rewards him with a 7 figure bonus for his efforts.
Its the same self indulgent nonsense that comes with such corkers as "NHS Envy of the world" et al. Whilst ignoring the hideous reality.
Having seen up close how hard working Belgians get utterly shafted by their political masters.
You'll support the system all right by using your party contacts to get a nice paying job for life in the public sector with a nice fat index linked pension at retirement.
For those of you who dont live in Europe, the Belgian body politic is up there with the Italians in the corruption stakes.
Classic socialism in action, keep 'em poor, keep 'em on welfare, keep 'em uneducated and it will keep 'em voting for you.
Slashdot Mirror
I was assuming that this kind of encryption would make sense for a number of reasons and therefore wouldn't be blocked
.ac.uk addresses have testified here.
Any protocol that has a direct negative impact on the integrity of the campus infrastructure will be blocked irregardless of how "sensible" it may seem to you .
As as I security admin I can truly say, if I dont control the creation, management and logging of what goes into one tunnel endpoint you will not get it. Try subverting someother protocol to bypass policy, and you wont get that either, and when I collect the evidence of said subversion (Which I can guarantee will be in flagrant breach of one of the catch all clauses in any AUP I draft), I will quite happily haul your carcass up before HR/Whoever to get your skinny little ass kicked out of the premises "pour encourager les autres".
You Yanks with your self indulgent sense of "entitlement" just dont get it. Managed deny everything policies for internet access like these have implemented as standard in the UK and throughout various parts of Europe for years. Its not just in the commercial environment either, as posters from various
Direct net access for end user from their desktops is NOT a constitutionally guaranteed right. That means NO connectivity for SSH across the perimeter, VPN, Mail Servers, P2P or anything else from your dorm desktop.
E.g when you are playing in my back yard, you WILL not get ping/traceroute outside the perimeter. You as an end user can whinge all you want, but 99 times out of 100 it's the judgement of yours truly as the security admin, management will defer to at the end of the day, and ultimately its my arse on the line when something goes pearshaped due to a breach. Not you the end user
Now if you can produce and document a clear educational/business case for having said protocols and get qualified backing from campus staff. Then time and effort MAY (& I use the word "May" here), be expended on developing a secure solution to delivering that set of secure services.
Its strange how its only now that institutions in the US are waking up to the very costly chaos caused by allowing the free for all of unmanged net access. Money wasted providing band-aid fixes to that problem would be much better spent investing in the 90% of students who are not there taking the piss.
Now you can choose to break Godwins law when you read my sentiments above and alledge I was born in 1889 in Austria.
Welcome to the future Chuck, thats how its gonna be. You will see more of the same when you start working in the real work also.
Curmudgeon
I'd agree wholeheartedly, but it suprises me that some sites mentioned are daft enough to implement flat rate caps on parts of their network without implementing a simple set of QoS rules in parallel to aid the 90% who dont waste bandwidth and resources by running P2P.
If one is not going to outlaw P2P, then they should up the priority of browser & other general campus related services whilst reducing whats left to a very low priority.
90% of the available resource should be for the almost exclusive use of the 90% who play by the rules, needs of the many and all that stuff.
Curmudgeon
Apparently, you havent read what I have been writing.
Given your prior level of abject cluelessness demonstrated previously I am not suprised. How pray tell are you to establish your much vaunted 'ipsec'tunnel across the perimeter when both the firewalls and inside/outside screening routers are dropping udp/500, GRE & ip protocols 50/51 smartarse ?
No security admin with even a smidgen of competence will allow vpn/gre/pptp/whatever tunnel to traverse perimeter security from the LAN to the internet or vice versa. One might as well throw the damn firewalls away otherwise.
Especially considering how trivial it is to split something like a PPTP tunnel and now have a direct ROUTED connection from a foreign network into the LAN.
Tunnels in any properly designed environment are only allowed to start & terminate in a DMZ, or directly on the firewall where access to/from such tunnels is strictly regulated.
Curmudgeon
Aw diddums, you're not used to having a robust conversation with Adults now are you ?
No more than I'd expect from a wannabe middle class 'anarchist'. Great on superficial waffle, rather lacking in the specifics though.
Curmudgeon
What ? Even more than the guys & gals stood up in front of them every day ?
I dont think so.
Curmudgeon
but also IM programs such as Jabber/MSN/ICQ and even telnet
An excellent policy. Pays for itself in one prempted virus outbreak.
Curmudgeon
Are there any ways to get network services to listen to us?
Easy, drop the dime anonymously on them to the RIAA and some large record companies, telling them about the horrendous copyright violations you have witnessed.
When the head of networks sees the Tour Bus full of RIAA ambulance chasers enter the car park, you see him running for the internet router armed with a fireaxe.
Curmudgeon
It simpler than that, Any campus running a recent version of IOS on its routers gets it for free just about.
http://www.cisco.com/warp/public/732/Tech/qos/
Curmudgeon
Oh yeah thats gonna work, with what ? A Maglite ?
Who/what is going to pay for the Cisco 12000s or Juniper M series to hang at either end ? Where are the $$$$ for the peering ?
Curmudgeon
I'm a Systems Analysis major
That explains the clueless ranting tantrum.
Curmudgeon
I don't know,
Thats painfully obvious.
If you can't tell an email from britney.mp3 because encrypted both look like static
You are making the silly assumption that there is no way to determine what makes a valid https connection, and whats a P2P session wrapped up in SSL. You dont have to.
There are a number of companies making a nice earner with subsciption based services for content filtering. Disguised P2P/instant messaging sites based on https will be no different. Filtered at the perimeter by the nice farm of squid boxes, netcache servers/whatever. One or two may get through, only to get stopped on the fly by some simple traffic monitoring or by the nightly update of the banned list.
Curmudgeon
If you had a Linux box as a router,
Any network dept using a linux box as a campus backbone router would want their heads collectively examined. Thats competition Cisco dont have to worry about.
Curmudgeon
Blocking ports isn't effective
Duh! If [ab]users dont have direct net access to begin with, then blocking ports is 100% effective.
Curmudgeon
There's no way to stop filesharing except at the endpoints of communication.
How clueless can you be ? Where did you get that little gem ? Did you learn that from your secret CCIE decoder ring in every pack of Wheetos ?
Unless the users stop wanting to use filesharing
Yeah right. Say for example I am the campus network manager, I manage the internal routers, I define the security policy on the perimeter firewall infrastructure. You're telling me that I cannot possibly stop users from running P2P across my perimeter and out to the internet ? How precisely, I would just LOVE to know how.
If the site policy is an implicit denial of outbound connectivity except for managed services, how pray tell is some weed smoking wannbe who thinks he is 31337 going to get past that ?
NOW GO AWAY and read some stevens, and some cisco press and some other useful items such as phoneboys recently launched tome and then you just might be in a position to make a useful contribution.
Curmudgeon
And a really sensible net admin would have that port 80 connection WCCP/transparently proxied with some content filtering/checking to terminate malicious use of that also.
Curmudgeon
40 Meg/Sec for 800 students ? Damn thats bigger than an E3, UK prices for such a pipe would be hitting $40k per month.
I've managed 1000+ user company connections on a single E1 (2 meg), that worked just fine for mail/web/whatever and still wasnt approaching 30% sustained utilisation.
Moral : End users will take the piss.
Curmudgeon
Shit!
Time for a big usage policy change on that network. A simple one at that. Direct net access by end user (non campus owned and managed) equipment is terminated.
All outbound traffic is proxied, authenticated, filtered and content checked. P2P outlawed on penalty of explusion for the 1st offence.
Curmudgeon.
Oh stop talking bollocks you prat! Typical spoilt middle class child mentality. Who/What pray tell do you think pays for your illicit file sharing idiot?
Curmudgeon
What proof do you need ? The bloke has just told you, when he throttled the dorm networks. Fat pipe utilisation plummeted.
I am quite sure he didnt just target that particular network at random. Its trivial on any managed network infrastructure to quickly determine whats chewing up bandwidth.
Curmudgeon
Yes idiot, it would also make the owners of the campus infrastructure responsible and therefore liable for copyrighted material exchanged through such a facility.
Plausible deniability is an defence when its a bytestream crossing a network. Impossible when its on college owned and managed P2P server.
Never mind the ethical/politcal considerations of some of the material transferred.
Curmudgeon
Excellent solution. Easy to implement also using QoS on the inside routers.
I just love those idiots who think its their god given constitutional right to chew up all available bandwidth on what is after all a grace and favour facility.
On any network I've ever secured, End users wouldnt get direct internet access point blank to begin with.
Curmudgeon.
What policitcally correct idiot modded this as Offtopic ? Its bang on the spot.
In the UK we have to endure a popular culture that lionises illiterate thugs who masquerade as soccer players on 50 grand/week.
But with the grossest of hypocrisy calls a trader who may have earned the bank 50m worth of business "greedy", when the bank rewards him with a 7 figure bonus for his efforts.
Its the same self indulgent nonsense that comes with such corkers as "NHS Envy of the world" et al. Whilst ignoring the hideous reality.
Curmudgeon
The only good socialist is a very dead one.
Curmudgeon.
An idealistic self indulgent fool, when the rest of the world is providing your living expenses with $$$$ grants etc.
Meanwhile in the real world....
Curmudgeon
Having seen up close how hard working Belgians get utterly shafted by their political masters.
You'll support the system all right by using your party contacts to get a nice paying job for life in the public sector with a nice fat index linked pension at retirement.
For those of you who dont live in Europe, the Belgian body politic is up there with the Italians in the corruption stakes.
Classic socialism in action, keep 'em poor, keep 'em on welfare, keep 'em uneducated and it will keep 'em voting for you.
Curmedgeon