[adamtampa]

I live on campus at my university, which has a despotic network IT dept. They provide free internet connections via ethernet, but do not allow on-campus redidents like myself to set up our own wireless networks. I know this because I have a friend who also lives on campus who set up a linksys router so he could use his PowerBook wirelessly. Within 30 minutes of his doing this, he had the campus IT people knocking on his door. They told him to immediately remove the router and that they would be turning off his internet connection indeofinately while they "investigated" his network. He did remove the router, and also explained that he just wanted to use his PB wirelessly, rather than having it hooked up to the ethernet cable (imagine the gall! ;-) ) . The IT people relented and let him keep his internet connection as long as he promised not to set up another network of his own. The IT people take network security very seriously, apparently.

I have no idea how they sniffed his router--whether it was a keychain-type wifi sniffer or if it was through some other means. I don't know networking stuff that well.

Here's my question: Is it possible for me to set up an airport express in my apt without the despotic university network IT people finding me out?

My goal is to be able to have a wireless network at home that noone--my campus IT people-or anyone else-can detect-and which I can use to do all the things everyone else does wirelessly:

- I wish to use the wireless network to surf the web and print wirelessly.
- I would like to have my computer's ethernet port connected to nothing.
- I want to be in bed and surf, even though my computer is physically connected to nothing.
- I want to be in bed and print a document on my printer in another room.
- If I can plug my powered cambridge soundworks speakers into the airport express, I would like my iBook to stream music to them.

But the most important thing is: No one (the campus network IT people) can detect my wireless network over the campus network or from a wireless card or keychain wireless detector. If I get busted, I'll be in big trouble, and don't want that to happen.

Any help is greatly appreciated.

[ghporter]

Sorry, but it is THEIR network, and they cannot depend on YOU to control access through your wireless equipment. They're not being despotic, they are protecting the entire university's network from students who would expose the entire network to penetration by absolutely anyone. You apparently don't appreciate what a gapping, "welcome bad guys" opening an uncontrolled wireless connection in a network is. It's the kind of thing that brings entire metropolitan area networks down hard. It's the kind of thing that lets off-campus intruders do ANYTHING they want with the network-anything at all. And trying to circumvent these rules is the kind of thing that gets students expelled, permanently and with prejudice (just try getting accepted to another university after being expelled for screwing up the school's network). It appears you DO appreciate the level of trouble you would be in when (not if) you got caught. So NO, we won't help you circumvent these rules.

Your dorm room cannot be that big-pay a few bucks and get some good quality ethernet cables, even a router and a bunch of cables, so you can sit anywhere you want in the room and plug in. It'll be faster than wireless too.

[tooki]

Oh, come now Glenn, I don't think the request is that big a deal. I don't think it's unreasonable to want to untether the connection you've been given, and it would not be unreasonable for them to allow routers, provided that WPA encryption be used. (And I entirely agree with calling those rules "despotic" -- many network admins forget that their role is to provide services to the user, and that it should be their job to serve the users' needs, no matter what they might be. There is definitely a better balance than what's described above.)

But the fact is, there is absolutely no way to make it undetectable by any means. Even networks with the SSID deactivated are readily detectible. NAT is detectable, so a router can't be used. A bridge might be invisible in terms of addressing, but it's impossible to have undetectable wireless.

tooki

[Scotttheking]

Originally Posted by tooki

Oh, come now Glenn, I don't think the request is that big a deal. I don't think it's unreasonable to want to untether the connection you've been given, and it would not be unreasonable for them to allow routers, provided that WPA encryption be used. (And I entirely agree with calling those rules "despotic" -- many network admins forget that their role is to provide services to the user, and that it should be their job to serve the users' needs, no matter what they might be. There is definitely a better balance than what's described above.)

Wrong.

First, it is not a network admin's responsibility to give the users what they want. Yes, they have a responsibility to provide a level of service, but they have the right to set the limits, or their boss does.

Second, users do idiotic things all the time. Especially with wireless, the default rule is to disallow it, because it is virtually impossible to make sure it is secure and stays that way.

There is a very simple solution to the poster's want: Move off campus. Until then, you are subject to the rules and regulations of your place of residence.

Quite simply, wireless is a pain to deploy onto an existing infrastructure, and thus it takes a fair amount of time after deciding to deploy it to actually do the deployment. That's one of the reasons many campuses don't have wireless throughout yet. Since a lot of campus resources are open to all on campus network connections, wireless must be secured, and admins cannot trust users to do it.

[Sage]

The school that I’m going to this fall (UCSD) allows dorm residents to setup wireless routers if they contact the IT department. The IT department will then walk you through the process to make sure it’s set up to their satisfaction.

A balance can be achieved.

Of course, it’s rather moot, since all the residential halls have wireless access built-in. Maybe that’s the only reason they’re willing to help anyone, since very few people would want to do that…

[ghporter]

Originally Posted by Sage

A balance can be achieved.

Absolutely true. BUT. The balance has to benefit BOTH parties or there's no reason to look for it.

Most schools have IT departments as an afterthought. Those that are more well-supported than that have reasons for it-reasons that are NOT about giving students "what they want." A major university lives-and dies-on research and the ability to perform and publish that research. If some freshman who thinks "it would be cool" to set up streaming audio throughout his part of the dorm manages to open a truck-sized hole in the school's network and thus compromises the network, ongoing research, and all the other schools dependent on the compromised school's work, that's a "bad thing" in anybody's book.

The OP has contacted me. He's a grad student, not some ignorant freshman, and he sees my point-even if he doesn't agree with my conclusion. If you don't follow the rules you are subject to their penalties, and more than a few U.S. universities have a track record of expelling students who play fast and loose with network security.

It's possible for a student at a school that doesn't allow such things to work with the administration to find common ground. That is the prefered route. But just finding a dodge to connect what you want, regardless of the effect on the network or your education, is not an acceptable route at all.

Further, without the concurrence of the school's IT department, just think of the cataclysmic consequences of simply opening the network up to whomever can find the renegade wireless signal. UT Austin got into serious hot water last year (or the year before) because they hadn't secured access to a supposedly offline system that had been used for personnel and thus lost tens of thousands of employee records, including social security numbers, addresses and birthdates. And look at what happened with the VA in May-and that wasn't even an online issue.

You MUST pay attention to network security or the network will simply go away, either through being overwhelmed by interlopers or by simply being turned off. My preference is to work WITH the system and preserve the network for personal as well as educational benefit.

[tooki]

Sorry, but I cannot for a split second support any view other than this: it's a computer resource admin's job to provide to its users the services they demand. Anything else is the tail wagging the dog. The misconception that the computer/network team should decide what tools the organization's users must use is widespread throughout the IT world, but it's fundamentally wrong.

IT is not a core competency, it's a support function, and that's what it should do. Support. It is not OK for an IT department to hold an organization hostage and force it to do things contrary to how it wishes to operate. (Unfortunately, that happens frequently.)

I am not saying that IT should succumb to every single user's whim. But wireless networking is not an exotic request these days, and the fact that many users love it and want it should be enough to compel a user-serving IT department to provide it, or at least allow users to provide it themselves.

tooki

[draggerman11]

Originally Posted by Sage

The school that I’m going to this fall (UCSD) allows dorm residents to setup wireless routers if they contact the IT department. The IT department will then walk you through the process to make sure it’s set up to their satisfaction.

A balance can be achieved.

Of course, it’s rather moot, since all the residential halls have wireless access built-in. Maybe that’s the only reason they’re willing to help anyone, since very few people would want to do that…

Having been to UCSD quite a lot and stayed in the dorms, wireless access in their dorms can be spotty. Wireless access in the Muir dorms, for example, is terrible, and using the ethernet is a much easier solution. That they allow you to set up a wireless router at all is a godsend.

Unfortunately, it is the IT department's choice if they want to allow you to set up wireless or not, because as has been noted, an improperly configured router is easier than cake to enter. The college I will be attending this fall has this same policy, so I will have to suffer with ethernet (ugh!).

[ghporter]

Originally Posted by tooki

Sorry, but I cannot for a split second support any view other than this: it's a computer resource admin's job to provide to its users the services they demand. Anything else is the tail wagging the dog. The misconception that the computer/network team should decide what tools the organization's users must use is widespread throughout the IT world, but it's fundamentally wrong.

IT is not a core competency, it's a support function, and that's what it should do. Support. It is not OK for an IT department to hold an organization hostage and force it to do things contrary to how it wishes to operate. (Unfortunately, that happens frequently.)

I am not saying that IT should succumb to every single user's whim. But wireless networking is not an exotic request these days, and the fact that many users love it and want it should be enough to compel a user-serving IT department to provide it, or at least allow users to provide it themselves.

tooki

I believe that this school IS doing what their customers want. But those customers are NOT the students. Students are frequently secondary to many universities' mission-research. Further, unless there's a specific clause in the dorm contract that says the resident is a "customer," the service they get is what they get. I don't think it's the IT department making these decisions at all. In fact I'm pretty sure it isn't. I think it's the university's CIO, who has decided that the risks to the school's network are much greater than the tiny inconvenience students in the dorms face in dealing with cables instead of wireless. This executive typically reports to the university president (Texas state institutions do that as a matter of statute). If this is a problem to the student, the student should go to the proper authority-the school administration, not the tech staff-and request some sort of compromise.

Remember, there are very few organizations in which IT does what they want. In almost every case, they implement executive decisions. The few instances where this is not true are so isolated as to be inconsequential. The IT department is a tool of the management, not an independent entity, and they support what the school's administration wants, NOT what the students want. Students need to take such issues up with administration. I'm afraid that such issues will result in the administration saying that the student can find another institution. Really, how bad can it be to depend on a wired connection in a dorm room?

[pheonixash]

Originally Posted by ghporter

I believe that this school IS doing what their customers want. But those customers are NOT the students. Students are frequently secondary to many universities' mission-research. Further, unless there's a specific clause in the dorm contract that says the resident is a "customer," the service they get is what they get. I don't think it's the IT department making these decisions at all. In fact I'm pretty sure it isn't. I think it's the university's CIO, who has decided that the risks to the school's network are much greater than the tiny inconvenience students in the dorms face in dealing with cables instead of wireless. This executive typically reports to the university president (Texas state institutions do that as a matter of statute). If this is a problem to the student, the student should go to the proper authority-the school administration, not the tech staff-and request some sort of compromise.

Remember, there are very few organizations in which IT does what they want. In almost every case, they implement executive decisions. The few instances where this is not true are so isolated as to be inconsequential. The IT department is a tool of the management, not an independent entity, and they support what the school's administration wants, NOT what the students want. Students need to take such issues up with administration. I'm afraid that such issues will result in the administration saying that the student can find another institution. Really, how bad can it be to depend on a wired connection in a dorm room?

How twisted it that? Student's are their secondary concern? Where do you think they're funding for research comes from? I am at one of these research-oriented universities, the IT department has a responsibility to provide students with what they need, to keep us happy.

In fact, our University's first priority was setting up a Wireless Network. Wired connections are still dodgy in certain areas, though the wireless network is flawless. Till date, I haven't once plugged in my laptop to the school network, we always use wireless, even for printing. We have wired connections in our dorm, but on request we can set up our own wireless networks, as long as it meets certain encryption requirements set down by the Office of IT. Students pay a fee for University and accomodation, and have a right to depend something as simple as wireless connections in the dorms.

Concerning sensitive information being leaked, our University has simply set up a seperate network for sensitive information which the student has no access too. This is a simple solution to apparently a very complex problem. The IT department cannot hold a student at ransom for their inefficiency.

[ghporter]

Yep, students are a mechanism for a university. Just ask any tenured professor.

And really, how hard is it to go from one ethernet cable to another in a dorm room? Come on, folks, it's not like students are having their air rationed!

Setting up a second, internal network is a good idea, but I'll bet that there are connections from one to another that are needed to let certain functions operate (bursar, personnel, etc.), and those particular connections are weak spots.

As for adding wireless access on campus, that's to the school's advantage. If they do that, it means that they don't have to set up an expensive infrastructure of wired connections that would clog the hardware's ability to handle traffic. And allowing outside access to the school's library means that students don't need to be IN the library to do their work so they can cut library staffing. It's all about the school, NOT the student.

And again, the IT department WORKS FOR THE UNIVERSITY, NOT THE STUDENTS. They do what the administration tells them to, not what students want. Students just are NOT the purpose of a university-increasing the world's body of knowledge is why they exist. Research and publish are universities' primary missions.

[tooki]

I think you're dead wrong, and it's that self-serving attitude that turns so many IT departments into adversaries rather than allies in an organization's goals. A university without students, who pay the bills, is nothing but a useless shell. A university cannot ignore the needs of the students who pay tens of thousands of dollars to attend. Note also that not all universities and colleges do research; some are pure teaching institutions.

I understand why an IT department -- or any other administrative office -- has to tread carefully, especially in these days where Sarbox and the threat of lawsuits require high security. But there are better ways than outright prohibition, which only induces people to circumvent the system.

tooki

[ghporter]

Tooki, I AM a student. But I also know a guy who's in charge of network security for a major university, and I know how they work. It's not about students-teaching is a sideline for most professors at most schools, because it gets in the way of their research. This isn't true at every university, but it sure is true at a lot of them. For example, the University of Texas System includes 14 "major universities," and because of the way it's funded (land trust in West Texas that has LOTS of oil under it), the UT system doesn't even pretend to be student centered.

Further, my friend who works network security sees the politics aspect all the time, and it's a problem. In many cases, a university's researchers bring in many times more money than the students, so the researchers, funded by outside grants, call the shots. Students are there for use as test subjects and because you generally can't award a PhD to someone who hasn't taught a certain amount. So the administration pays a LOT of attention to the researchers, and does what they can to keep them. On the other hand, students will always be there, so they do what they MUST to ensure the students can succeed-not that this is always enough or properly done.

But it's still an issue of who owns the network and makes the rules. It is owned by the university, administratively managed by the school's administration, and those management decisions are implemented by the IT department. I don't think that it's a major problem to go without wireless in a dorm room when ethernet cable connections are available, and I don't think it's unreasonable to lock down a school's network to prevent it's compromise. I got through a computer science degree with a desktop computer at home-way before wireless networks-and that was very computer intensive. I just don't see equating "wanting" to use a computer untethered and "needing" it to be that way. It ain't air, it's just a cable.

[ginoledesma]

I used to be a Network Admin for the residential units in college, circa 1999-2004, so I've been on both sides of the fence. The IT department's policy strictly prohibited things such as routers, hubs, and the like, enforcing a 1 PC to 1 port rule and required that all networked devices have their MAC address registered with us to allow them to get onto the network. The primary reason for establishing this policy was user accounting (please understand the context that back then in the Philippines, bandwidth cost a premium), and there were a couple of users who were keen on sharing their connection.

Over time, we introduced wireless net[works because laptops were rapidly becoming a common item, and the conveniece of not being tethered appealed to a lot of residents. The typical network security measures were put in place (WEP + MAC address registration/filtering + hiding SSID), as well as isolating them from our core network.

In the end, this proved to be a popular hit with the residents, albeit at the expense of perceived security (my personal opinion). The compromise we came to was requiring residents to sign a waiver stating that because of the "inherent weaknesses" of wireless networks, the IT department would not be held responsible for damage to their computers and/or data. This may be a cop-out, but then again, majority of the people involved (both residents and staff) felt that this was a better approach than to be Big Brother 24x7.

As a side note, a big plus to the university officials was the significant cut in spending in structured cabling (for expansion) and its maintenance. That allowed us to focus on more meaty things, such as fiber upgrades, backup equipment, etc.

[pheonixash]

Originally Posted by ginoledesma

I used to be a Network Admin for the residential units in college, circa 1999-2004, so I've been on both sides of the fence. The IT department's policy strictly prohibited things such as routers, hubs, and the like, enforcing a 1 PC to 1 port rule and required that all networked devices have their MAC address registered with us to allow them to get onto the network. The primary reason for establishing this policy was user accounting (please understand the context that back then in the Philippines, bandwidth cost a premium), and there were a couple of users who were keen on sharing their connection.

Over time, we introduced wireless net[works because laptops were rapidly becoming a common item, and the conveniece of not being tethered appealed to a lot of residents. The typical network security measures were put in place (WEP + MAC address registration/filtering + hiding SSID), as well as isolating them from our core network.

In the end, this proved to be a popular hit with the residents, albeit at the expense of perceived security (my personal opinion). The compromise we came to was requiring residents to sign a waiver stating that because of the "inherent weaknesses" of wireless networks, the IT department would not be held responsible for damage to their computers and/or data. This may be a cop-out, but then again, majority of the people involved (both residents and staff) felt that this was a better approach than to be Big Brother 24x7.

As a side note, a big plus to the university officials was the significant cut in spending in structured cabling (for expansion) and its maintenance. That allowed us to focus on more meaty things, such as fiber upgrades, backup equipment, etc.

I think that hits the nail. There is no reason for the University to then not allow students to use routers or otherwise provide them with a wireless connection. Damn, by using a wireless setup we're saving them money for their research endeavors.

[ghporter]

Originally Posted by pheonixash

I think that hits the nail. There is no reason for the University to then not allow students to use routers or otherwise provide them with a wireless connection. Damn, by using a wireless setup we're saving them money for their research endeavors.

BUT the university needs to make sure that none of those wireless connections compromises the overall network. What ginoledesma was talking about was NOT letting any student that wanted to install a wireless router, but rather the school setting up a large and WELL CONTROLLED wireless network. Quite different.

I agree that schools will do well to assist students, and that it's cheaper in the long run to set up wireless networks, particularly ones that are well controlled and secure. But we're talking about bureaucrats who can't see past the ends of their fiscal noses, and such projects require a significant up-front investment with a relatively slow payoff.

And I still say that allowing students to connect wireless devices to a network without supervision and oversight is BAD for everyone.

[pheonixash]

Originally Posted by ghporter

BUT the university needs to make sure that none of those wireless connections compromises the overall network. What ginoledesma was talking about was NOT letting any student that wanted to install a wireless router, but rather the school setting up a large and WELL CONTROLLED wireless network. Quite different.

I agree that schools will do well to assist students, and that it's cheaper in the long run to set up wireless networks, particularly ones that are well controlled and secure. But we're talking about bureaucrats who can't see past the ends of their fiscal noses, and such projects require a significant up-front investment with a relatively slow payoff.

And I still say that allowing students to connect wireless devices to a network without supervision and oversight is BAD for everyone.

Originally Posted by me

We have wired connections in our dorm, but on request we can set up our own wireless networks, as long as it meets certain encryption requirements set down by the Office of IT.

I never suggested that students be allowed to set up random networks. I did say that they should be monitored by the IT department and conform to a certain standard. This is not really too mch to do. I'm sure the OP would be willing to an arrangement like that.

It's just that the University is not willing to co-operate with that either. THIS is clearly WRONG IMHO.

[m.p]

i've got the perfect thing for you. here's a link http://www.woot.com/Blog/BlogEntry.a...ogEntryId=1289 . you can't get them from that website anymore, but i'm sure you can find them on ebay or amazon or something. what they provide is basically a 900mhz connection based on a proprietary format (click on the discuss link to get more info). it'spractically impossible to hack, and won't be detected as it appears like a wireless phone. it's very safe. the only downside is, you'll have to plug your computer into it, which i'm guessing probably defeats your purpose.

[ghporter]

Detecting wireless is not the only way net admins can detect rogue wireless connections. It's gotta have a connection to the wired backbone to be useful, right? They CAN see that. Guaranteed.

Why not just go with the rules in place and ASK POLITELY for a review of the policy. Particularly since CONTROLLED AND MANAGED wireless will SAVE THE SCHOOL MONEY through reducing the requirement for physical infrastructure, and device access can be controlled and managed simply by allowing only authorized MACs to connect.. Note the emphasis... It's important to pitch things in the other guy's interest-it gets their attention better that way.

[tooki]

Perhaps, but in this case, it's clear that, at the very minimum, the network admin is years behind the times, and rather than catching up, is just preventing anyone else from entering the 21st century.

tooki

[ghporter]

Politics is what makes universities run-even dysfunctional politics. Sad but true.

[pheonixash]

Originally Posted by ghporter

Politics is what makes universities run-even dysfunctional politics. Sad but true.

You mean politics can actually perform in a non-dysfunctional manner?

[ism]

Originally Posted by tooki

Sorry, but I cannot for a split second support any view other than this: it's a computer resource admin's job to provide to its users the services they demand. Anything else is the tail wagging the dog.

tooki

Well f**k me, who'd have thought. I completely and utterly agree with something tooki has said.

[ism]

Originally Posted by ghporter

Politics is what makes universities run-even dysfunctional politics. Sad but true.

When I was at uni I think it was my strategic managment lecturer who said universities are one of the least political organisations that you can work in. I was shocked because I was actually awake in the lecture to hear that and also because it's so wrong. One of the reasons why I didn't want to do a PhD: I'd had enough of their sh*t. It always seemed like we were fighting the university just to get work done.

[ism]

Originally Posted by ghporter

Detecting wireless is not the only way net admins can detect rogue wireless connections. It's gotta have a connection to the wired backbone to be useful, right? They CAN see that. Guaranteed.

I've always wondered how much they can tell about what's at the other end though. How do they know it's a router and not a PC? Was the person mentioned by the OP spotted because they left the router's name set to some default like 'Linksys Router'. If they'd changed it to 'Bob's PC' would they have been spotted?

I got spotted at work having my mac on the network, but then it was blatantly advertised as 'My powerbook' (well not actually that name, but you get the picture). I always wondered had I named it similarly to one of the work PCs, i.e. a serial number like ULV1001456 whether I would have been spotted as quick.

[dimmer]

The MAC address is vendor specific, so by the first six digits of that we can tell who made it and infer the device type. You can also tell via simple probes things like what OS a device is running.

If your campus allows Macs to access it (wired) you can turn on software base station mode and they'll probably never know, as NAT gets the MACs out.

[ghporter]

AirPort Base Stations have a separate series of MAC addresses-it's VERY easy to tell someone is running one simply by looking at the MAC of what's plugged in. That tells the net admin everything he needs to know to swoop down on the user.