[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [school-discuss] What should school firewalls keep in/out?



Well, my school district is nice enough to block many ports.  Just off the top of my head here are the ones they currently block/filter:
22/tcp     ssh
23/tcp     telnet
25/tcp     smtp
80/tcp     http(filtered via Novell Proxy)
110/tcp   pop-3
113/tcp   auth
6667/tcp, 6666/tcp, 7000/tcp irc
8080/tcp http-proxy
26000/tcp doom
(Also random collection of filesharing ports, FastTrack network, Gnutella, Napster.. etc..)
 
Now, I personaly would like them to not block any of these ports, because no matter what they block, it is possible for a user to circumvent the blocking.  The only thing blocking ports does is create havoc for legitamite users of the network.  Now I will be a hypocryte and say if they use of anyone service is damaging the network performance enough to create problems for other users, and it is not a legitamite use, then perhaps the admins should take action against the users that are using the network wrongly instead of creating havoc for legitamite users. For example, I use SSH exstensivly(better than telnet :) ) for connecting to my home server that I use for much of MyPHPSchools Development.  However because they are block the port, I was forced to simply bind sshd to a higher port, that is not filtered.  This just ilistrates that for a legitamte use, I was forced to do somthing, that most non-Open Source OS users would not be able todo for a legitamite use.  Another example, is one of the teachers I know wanted to be able to check his ISPs email at school because he had his students send in an assignment to his ISP email address.  Because of my districts blocking of pop3 it was impossible to do this.(we can get into web based solutions etc.. but it was a hassle for a non-technical user). 
 
From my Point of View as End User, and also as the person every 2nd period that has to go help teachers with problems on their computers, I find port blocking does nothing but stop non-technical users from using the network as they normaly would like to.  Even though port blocking may stop some wrongful uses on the network, any fairly competent computer user can bypass this by a myraid of methods.  I think it would be much better for Network Admins to moniter network traffic and if a user is dirupting the network using a non-legitamite program, go after the user, and that will make people shape up. To see this simply look at this quote from http://www.stac.org/projects.php?do=load&file=lbjwww.proj#objectionable
 

Solution to Tracking Objectionable Content
Another PERL script originally conceived by Peter Jensen, and rewritten by myself, implements an effective solution to limiting the amount of objectionable content students can obtain over the Internet at LBJ High School.
The script parses the output from squid and does a little bit of analysis on the content of the URL. If the URL is deemed objectionable, the script send an alpha-numeric message to the pager of a network administrator. The message includes the time, URL, and computer the request came from. The script decides whether or not a URL is questionable by a configurable list of rules. The administrator can then confront the student, decide on the disciplinary action to be taken, and inform any relevant teachers of the situation.
The biggest benefit of this kind of solution is the word of mouth of the users. What we witnessed at LBJ was that as soon as we implemented this script and started to catch students looking at questionable material, other students started to get the idea that we closely monitor the web traffic. They really had no idea how we accomplished this, but what they did know was that if they were caught looking at objectionable content, they would lose their Internet access. This significantly and quickly reduced the number of pornographic- and violence-related web pages that people were viewing and forced the students to start using judgment about the relevance of their web-related activities to educational goals.

 
I think that is the best solution I have ever seen in schools, and wish it was implemented more often instead of blindly blocking ports.
 
-Paul Querna