IT Professionals

LAN Security Blues

Posted by on May 30, 2008 | 7 Comments

Gnomie Jared Woodruff writes about what some of you might find to be all-too-familiar woes of being in charge of network security in places where co-workers and higher-ups often don’t “get it.” Figured I’d share this with you guys:

Hey, Chris!

I’m a newbie to your YouTube show (mainly because I have ADSL 28kb/s and the only way I can ever view it is at work). I’m a school network administrator. I was wondering if I could get your opinion about how strict schools should be with workstation security. I suspect your feelings are the same as mine, so you’d be giving me some ammunition to use in defense of my position.

Let me explain.

I am in charge of LAN security and find that most of my time is spent hunting down contraband games and files that kids put on the network: Flash games, adult crap, hacking tools, and the list goes on. Recently our school captain came to me and my superiors campaigning for unfiltered access, and he is quickly gaining teacher support. Some of the things he wants are: unproxied Internet, no workstation policies, and for students not to be banned from the network after they have been caught with banned files. My job’s already difficult enough without the problems that would be caused by a flood of unfiltered access completely obliterating our network bandwidth.

So I was wondering if you could do a show on the importance of Internet proxies, workstation settings, and school policies and how it all relates to educational network security.

  • http://www.ubuntuforums.org exneo

    I am a secondary student and I seriously hate hardcore blockage
    my school blocks even appropriate shit man. I hate it so much I taught my friends how to use google translate as a proxy I don’t use it myself but hey it should be known!

  • mhz

    You should review the series by Diana Huggins, “The Importance Of End-User Policies And Procedures”, from the week of May 7, here at Lockergnome.

  • leftystrat

    I come from a slightly different perspective… I work for a non-profit in roughly your position. We have faced the same issues you mentioned although people don’t campaign for open access, they just moan quietly when they can’t spend all day streaming Beyonce videos.

    You may be better off appealing to your superiors in a business fashion. “If we allow this type of access, the network will be down in short order. If the network goes down, we can’t do our real jobs and people will be very upset.”

    You can also mention the visits from the nice gentlemen in dark suits and sunglasses, claiming something about hacking federal databases from this domain. Or the RIAA lawsuits because every computer in the domain has Limewire and 20gigs of illegal content.

    Lastly you can explain to the campaigners what happens when they have unfettered access and would they perhaps like to donate twenty hours of their time per week to help you clean up after them.

    My CIO understood this logic perfectly. This is why we were allowed to implement all sorts of security policies on the network.

    But this is America -we demand all the rights with none of the responsibilities.

    Best of luck.

  • David

    OK…….. How about YOU take a RADICAL approach!

    Tell them, YOU are going to give it a 3 MONTH trial period beginning in 6 or so months.
    Using statistic software to keep up with the bandwidth, how many viruses, work flow, etc. ; keep a record of 3 months BEFORE the change (also keeping track of the HOURS spent keeping the system clean) , and the 3 month TRIAL PERIOD (again keeping track of the HOURS spent restoring the system back to a good state).

    I know it will be the BIGGEST pain you have had to date…… BUT……. once the “high ups” see the cost in dollars and in waisted time…. they will be GLAD to go back to the semi-lockdown.

    Look at it this way…… teachers are going to be REAL mad when 6 out of 20 PCs are “non usable” because YOU had to “pull” them for viruses. THEN you can HIT them with the “well YOU wanted YOUR students to have FREE ACCESS, this is the RESULTS of YOUR decision”.

    (I would also write up an agreement THAT states YOU are NOT to held RESPONSIBLE for, and YOU wash your HANDS of any MIS-USE of the schools NETWORK, and that your job remains in TACT no matter WHAT the outcome is.)

    This will keep YOU from being SUED by Parents, Copy Write Owners, Recording / Movie Studios, Law Enforcement Agencies.

  • David

    I worked in the K12 school It area for 5 years and depending on your location you may have other recourse. Is the Internet connection subsidized by tax dollars? If so then what are the stipulations of using said tax dollars for this purpose. Some states require MANDATORY filtering and blocking of inappropriate material. If there is not a reasonable attempt to do so then tax funding is pulled. You can also address safety as opening the network allows the predators in, as well as, everyone else out.

  • Scott

    It seems ironic that this topic always comes up on networks…

    I have a few suggestions…

    #1 is Windows Steady State… It makes it a lot easier to “undo” changes made to systems… (Read up on how to do the scripted op system install that stores all user info on a seperate hard drive, anywhere on the network… You can literally make it where users can not write anything to the boot drive…)

    #2 is a Barracuda box…

    With these 2 things that will give you massive control over the internet traffic and changes that can be made to the network workstations…

    I hear a lot of people complain about network security and problems with workstations…

    99 % of which can be handled by a properly set up network…

    99.9 % of networks are not configured properly to begin with…

    As far as the blocking access goes, there is no easy answer for that…
    Just set the network workstations up so that everything can be undone on the boot drive by simply rebooting the machines…
    All of the tools and resources to do it are available for free for just about every operating system out there…

  • http://www.vipsudio.com Jared – Stinger Software Systems – Vipsudio

    I went one better, i Started my own company and created a Policy enforcement engine, which got rid of Games, porn, viruses, Network traffic due to network games, workstation hacks.
    i called it “Stinger” it is now run in over 14 K12 Schools in Victoria alone, its counter part “Pegasus” – a sole game blocking engine i’m about to release, i was going to release it earlier but there was set backs due to our “SVK” a usb virus remover deployed to schools and its overwhelming sucess in eliminating USB Viruses on workstations and educators laptops, far more than i expected so now we have a crap load of schools using my software =) yay for me but not for my bank cos i dont charge money for my software haha.

    well in a nutshell, i put it on the line at my school, telling them the Pro’s and Con’s and Network History ans Student Network Misuse progression and they agreed it was an issue that Additional Policys had to be enforced.

    For anyone that has or is having my problem, all you have to do it get the boss supporting you because most school officals have no idea what you are asking of them when you tell them this stuff.