How do school networks work?

[Employee]

Prelude (skip if you don't want to know why I made this post)

Ok well I've been getting sick of all these posts "How do I bypass my school's filters?". Well I've been looking around, and have seen that on these forums there are some school administrators. Now I'm going to say I don't know how the school networks work, but I'm going to ask.

http://hak5.org/forums/viewtopic.php?t=1029

http://hak5.org/forums/viewtopic.php?t=633

Now

Administrator questions

Ok how do school networks work?

How are they set up?

Are the filters in place for a reason? (a crappy question I know)

Student questions

Why in hells name do you want to go to site that are most obviously prohibited when you can wait 7 hours and go home?

Conclusion

STOP PUTTING NEW POSTS UP DAMMIT ABOUT HOW DO I GET AROUND MY SCHOOLS FILTERS!!!!!!!!

P.S. Sorry for mad rush of capslock I think its needed[/url]

[Sparda]

Yes

[barrytone]

I am one of the school admins of which you speak :P

How they are set up is a big question. The short answer is: it really depends on the school; where it is, how big it is, how much funding they have and how much the school's head/principle likes IT

The following is based ONLY on the networks I administer. It does not by any means apply to schools in other areas or countries.

The majority of school networks that I work on are split up into two parts. The admin network (as in the admin people who deal with the kids' files and the finances of the school, rather than network admins), and the curriculum network. For a small school, as most of mine are, there is a single server running windows 2000 server or server 2003 for the admin network, and another for the curriculum network.

The reason for these networks being 'seperate' is obvious (to me at least). The is no way any kids should even have the remotest chance of gaining access to the schools financial records and the student's records etc.

Admin Network

The admin network isn't of much interest to most people who ask about school networks, but here it is briefly anyway...

The admin network generally consists of around 3-10 machines depending on the size of the school. Everything is Ethernet and is usually (but not always) wired back to a switch located in the server room, rather than having a single cable running to a switch in the admin offices. The reasons for this are numerous, but usually focus around cost and speed. I.E. when ghosting/RISing all of the admin workstations from the admin server, it can be a really slow having everything running down one or two bits of cat5. Also: it's often cheaper to run 5 cables than run 1 and buy a switch + 5 cables from there to the workstations.

The admin machines are usually running win2k at the moment. Almost completely because the most common version of SIMS (The School Information and Management System) isn't to friendly with XP. New versions are being tested with XP machines at the moment, but it's a tedious process. It is pretty common practice for 'mission critical' systems to be running 'tried and tested' software. On a side note, an example would be that some banks still use NT4 clients, and still use programs written cobol in the 1980's for processing.

Curriculum Network

As mentioned, the curriculum networks in small to medium school generally have one server. It’s usually a little more powerful than the admin server, and for one reason: more clients.

The schools I work in have between 30 and 100 workstations. A usual setup would be one or two IT Suites, with 15-30 workstations, and one in each class room. There being anything up to 30 class rooms. The clients are now almost completely windows XP based. One or two schools that lack the funding of other schools still have some win2k clients that they can’t afford to upgrade / replace.

The hardware for the workstations is kept as uniform as possible to make RISing (remote installation services) and ghosting (using Norton ghost) a lot less troublesome.

Again, the workstations are almost always wired back to a switch (separate from the switch on the admin network) in or near the server room. IT Suites are usually situated close to the server room, but if they’re not: there is often a switch in the IT suite that has a connection back to the main switches in the server room.

Restrictions and Filtering

The restrictions and configuration on the local machines (such as, disabling display properties, control panel etc) are almost always done with Group Policies. Group Policies is a massively powerful thing, and incredibly useful. It’s used to distribute software in the form of MSIs, distribute new settings and restrictions… Pretty much everything apart from changing the screen resolution and colour depth :evil:

Sorry… That’s my annoyance of the minute :P

Internet filtering is a weird one. For the schools I work in, they are all on a big network set up by Telewest. Filtering is done off site, and as a network admin, I have no control over it. Both the admin and curriculum switches are connected to a little box called a cache box. It’s basically purpose built pc in a box that acts as a firewall, and web proxy/cache server.

Schools are almost always set up so that the only way to the net, is through the cache box. Stops people from hacking about and just removing the proxy server from the internet settings to get unrestricted net access. In general: all but the essential ports are kept closed in both directions.

As for the question about if the filters in place for a reason: the answer is YES! To try and keep it brief (I’m not good at that ;) ) a kid getting onto porn can mean a teacher getting into trouble from their superior, and also myself getting into trouble for not keeping things locked down… At which point I call the filtering company and shout at them, but never mind that. One thing to think of is that not all the kids that end up on porn or snuff sites are there deliberately. A big part of having the filters is to help protect the “point and clickersâ€. I had one little girl searching for Dracula for a class project the other day that ended up on a goth dating site, and another seriously shocked young man that had been searching for “game boysâ€. So yeah, the filtering isn’t perfect, but it’s better than nothing.

Another reason for the web filtering is: kids aren’t always the ones at fault. I got handed a teachers laptop to fix a few weeks ago that had about 90 pieces of spyware and 3 gigs of porn on it. Good job it actually belonged to them and not the school, really.

I’m tired of typing for now… But if anyone has any specific questions other than “how do i get on myspaz LOL?â€, feel free to ask and I’ll try to answer as best I can. I’ll try to update this humongous chunk of text with anything I feel is important or interesting :P

[ZeR0BuG]

Student questions

Why in hells name do you want to go to site that are most obviously prohibited when you can wait 7 hours and go home?

Most students are soo freaking obsessed with myspace(i am not one of them) and cant go 7 hours with out myspace... and they are soo obsessed with poorly made flash games that they enjoy to play durring lunch and class... instead of learning like they are suppose to. and its annoying when they are all on the student server slowing everyone who actualy cares about using the school computers what they are meant for.

[DLSS]

hey barrytone here's a question

is it connected to the net ?

r u able to open command prompt or to bypass the block with a cmd

or by force opening run with notepad 2?

locked up winchat.exe and netsend (fav to students) ?

does ure network have the ftp locked ? (cos thts the fav thing i use on our schools network :P i just up stuff to my serv @ home and down @school and backd al my stufy stuff up on my serv(cos we had to del em and will deff get the same excersize @the exams :P)

[VaKo]

I am one of the school admins of which you speak :P

<snip>

Wow... your in the Hacks subforum FAQ (due to be released)...

[Shaun]

Plus sometimes the filters are really bad, at the college I went to I remember we were supposed to be researching various network types and when trying to go to this article I got a page saying it was blocked. Of course I could get around it using the web proxy with TLS I had, but most of the people in that class weren't that tech savvy (despite it being an IT class) so it could have actually affected their ability to do their work. So sometimes there are legitimate reason to want to get around web filters.

[barrytone]

So sometimes there are legitimate reason to want to get around web filters.

I agree! That is, in fact, one of the main reasons I dislike offsite filtering.

hey barrytone here's a question

is it connected to the net ?

r u able to open command prompt or to bypass the block with a cmd

or by force opening run with notepad 2?

locked up winchat.exe and netsend (fav to students) ?

does ure network have the ftp locked ? (cos thts the fav thing i use on our schools network :P i just up stuff to my serv @ home and down @school and backd al my stufy stuff up on my serv(cos we had to del em and will deff get the same excersize @the exams :P)

I'm not sure I understood all of that, but I'll do my best to answer :)

It is connected to the net, yes. But because the networks only physical connection to the internet is through the cache box, there is no way to bypass it. You could crack your way into it and change the IP tables to allow whatever you want, but otherwise, you're a bit stuck. I'm not sure what you're refering to with the notepad thing though.

winchat has been removed, and the services required for both winchat and net send to run are disabled.

As for ftp: it isn't disabled unfortunately. We're looking at a good way of blocking access for any students or teachers, but still allowing the system and admin accounts access.

"We're" is the company I work for, if you're wondering :P

Wow... your in the Hacks subforum FAQ (due to be released)...

Awesome, thanks!

I'll be sure to check my spelling and neaten things up a bit for ya :)

[manuel]

I am another sysadmin I am sure you are referencing. I oversee 5 schools and their respective networks. Thanks for being kind enough to clearly think your question over.

Answers

Administrator questions

Q. OK how do school networks work? How are they set up?

A. As barrytone stated it is difficult to explain this without keeping in mind cost and size of a school. Simply put each school does things differently/

We have at least one server which runs Windows domain controller in each building. I'll explain our High School setup, as it is the one that has the biggest setup.

We have 2 Windows 2000 active Directory servers utilizing Group Policies to manage almost everything including proxy settings (which makes it hard for students/teachers/guests to change the settings.)

We use one domain but heavily rely on groups and deny permissions on staff folders.

Everything is connected through network switches via cat 5e cabling, although we are getting ready to implement a couple of wireless routers.

Basically through the use of Group Policies, our client computers are locked down enough to not allow very many things to run without us knowing about it.

All student/staff computers are imaged with a master image that allows us to keep everything as identical as possible.

In our router/firewall, we specifically block all outgoing ports, including port 80, 443, ssh and ftp ports except from our proxy/filter and other servers. They're the only IP addresses that have access through everything.

So effectively without using the filter/proxy server the client computer doesn't have network access past the local LAN.

This setup does add some headaches, such as updates, but we utilize a tool similar to GFI LanGuard (I don't recall the name ATM ;) ) that resides on the server. This tool allows us to download all of the updates for MS products and push them out to the client computers. We check on the updates at least once a month (unless we hear of an important update that must be applied sooner).

Another thing we do is setup the BIOS's to boot from anything other than the local c: drive. If/when we need another method, we specifically get into the password protected BIOS and setup a temporary boot priority change.

Q. Are the filters in place for a reason? (a crappy question I know)

A. First its not a crappy question. If more people asked this question we could effectively answer it fairly well. So the answer is Yes, filtering is in place for several reasons. For Schools in the United States to receive special funding, we must filter and protect students from inappropriate materials on the Internet. This is a little law called CIPA or Children's Internet Protection Act.

Prior to this law, schools were not forced to use filtering, but were strongly encouraged to.

Another reason that filtering is used is that regardless of a specific law, it is our duty to protect children while they are on school grounds. The computer is just another tool, just as a book or educational magazine. A school wouldn't provide a student with a Playboy magazine, so why would we want to provide access to the web content online (either through playboy or any other source?

Yet another reason we filter Internet access, is to try to manage bandwidth. If just one student was surfing the web and playing stupid videos or bandwidth hogging games it would be so bad. The problem is that its not usually one student or other user needing access to the Internet and we must be able to provide that service as needed.

Example. If I stream the Hak5Radio show I am using roughly 128kbps for one connection. This isn't bad.

If 12 people connect to the Hak5Radio stream that is immediately 1536kbps or roughly equivalent to one T-1 line. This then basically means that no one else can get online and do anything else period if all that is owned is a single T-1 line.

Student questions

Q. Why in hells name do you want to go to site that are most obviously prohibited when you can wait 7 hours and go home?

A. Even though I am not a student, I can answer a portion of this. Part of the reason for trying to get around a filter is to be curious and rebellious. Curious because children of all ages want to know how others around them are feeling and dealing with life. Its a basic need for humans to actually want to communicate. Example: Remember when you were little -- you probably sat next to a busy road and moved your arm up and down when a semi truck drove by in the hopes that they would honk their horn for you. Its one method of reaching out and realizing that you are not alone and that the world is really big. In retrospect as you get older, you tend to realize that the world is really a small place since most of us never really step too far out of our comfort zones.

Rebellious because as humans we hate to be told we can't do things. We are always trying to prove otherwise, regardless of history. If being rebellious wasn't part of it, there almost would be a discussion on this subject.

Conclusion

STOP PUTTING NEW POSTS UP DAMMIT ABOUT HOW DO I GET AROUND MY SCHOOLS FILTERS!!!!!!!!

Comment on this comment: I actually have to thank those who post these sites, because as an admin I can check and verify if my filters allow or deny access to them before most of my students actually get them and get around the filter.

Other questions by DLSS (while not directed to me I think I'll add to it) BTW: You really should have put some thought into asking the questions better.

Q. hey barrytone here's a question is it connected to the net ?

A. Obviously every computer at a school is connected to the Internet in one way or another, otherwise there would be no reason to filter.

Q. r u able to open command prompt or to bypass the block with a cmd

or by force opening run with notepad 2? locked up winchat.exe and netsend (fav to students) ?

A. We block the command prompt and have the services for netsend and winchat disabled. For a short period of time that was open, but after I saw it being used (abused) for about a week, it stopped. Basically Notepad is not needed for student based computers (yes there are other ways of creating and editing text files, but its a stopper for most).

Q. does ure network have the ftp locked ? (cos thts the fav thing i use on our schools network i just up stuff to my serv @ home and down @school and backd al my stufy stuff up on my serv(cos we had to del em and will deff get the same excersize @the exams )

A. yes we block FTP, along with many other services (read earlier portion of this post). Effectively we block all ports on the site firewall and only allow access through the proxy/filter. This is not a 100% fool-proof method of filtering, but it goes a long way to help deter students and staff from bypassing our filters.

-Manuel

[moonlit]

Another thing we do is setup the BIOS's to boot from anything other than the local c: drive. If/when we need another method, we specifically get into the password protected BIOS and setup a temporary boot priority change.

Did you mean that you change the boot order to only boot from the local C:, rather than anything other than the local C: ?

We are always trying to prove otherwise, regardless of history. If being rebellious wasn't part of it, there almost would be a discussion on this subject.

Did you mean that there would almost certainly not be a discussion on this topic?

[ZeR0BuG]

I'm Not a sys admin for my school district, but i have worked with them my 7th and 8th grade years... This year, the school district took out the servers from the school and just left 1 server to connect to the servers at the Technology center.

There they have I belive 4 domain servers that you can see in remote desktop, the CISD, Student, Employee, and their website. Then they have 3 servers running terminal servers for the thin clients and some pc's and we use remote desktop to connect to them since they havent intergraded active directory into the desktop pc's.

This is the diagram of how they have their WAN set up. http://www.conroeisd.net/slcfund/diagram.htm

Thats all i can remember of it for now.. lol

[armadaender]

Everything is connected through network switches via cat 5e cabling, although we are getting ready to implement a couple of wireless routers.

What safeguards (client applications, encryption, etc) do you plan to impliment when these are added to the network?

I'm sure you've seen the other hack-vidcasts that show how to crack WEP (thanks horza) in a short amount of time and I'm curious as to what you think will happen once these are in place and whether they're a 'smart' addition to your network.

Probably the last thing you want is a tech-savvy teen hanging out after school in the library with his laptop, booting a copy of knoppix-std and cracking the wifi network.

[Shaun]

I'm sure you've seen the other hack-vidcasts that show how to crack web keys in a short amount of time and I'm curious as to what you think will happen once these are in place and whether they're a 'smart' addition to your network.

Web keys? You mean WEP? Well I would guess they would use WPA rather than WEP, which is much harder to crack (unless they use a poor PSK or something, although I doubt they would use a PSK unless it's a small school).

[armadaender]

Just noticed that, my mistake.

[Darren Kitchen]

Or they would use WPA on a segregated wireless network connected to a VPN server, so that even *if* you were able to somehow bypass the WPA security you would still need credentials to connect to the VPN, and thus the rest of the network.

[kainchick]

okay im not a sys admin but i did ask the network admin at my school how ours was set up and we have a relitvly big school district. In the district office is the main server room. and in each school (except highschools they have a room for servers) in the computer lab is a server for that school. Thats all the information he gave me though.

[manuel]

Or they would use WPA on a segregated wireless network connected to a VPN server, so that even *if* you were able to somehow bypass the WPA security you would still need credentials to connect to the VPN, and thus the rest of the network.

Yes, we are planning on using WPA with VPN back to our servers. Security IS the #1 Priority in our minds. The Wireless routers will sit on the outside of our school level firewall.

Basically because our firewall is set to block all ports except from our servers, even if they cracked the wireless side, they don't get Internet access. or access to anything at that point.

AS for encryption, we also use kerberos enhanced servers which adds another layer of security to and from the server.

All directories on the servers that contain staff files have explicit deny entries in the ACLs and Guest access is completely turned off (as much as possible).

I should also note that each school is setup with the same basic principle then through the use of VPN tunneling all are connected through a wireless MAN (or WAN if you will). At that point we have yet another firewall that has additional firewall rules that prevents access to unwanted services.

So in essence each school has their own firewall. but is then connected to a centralized firewall then out to the Internet. If by the off chance someone gets passed the first firewall, it makes it that much harder for them to get around our second layer. We also use software firewalls directly on our file servers, preventing cross-network connections unless specifcally allowed.

As I also said we have syslog servers (which actually reside on the common side of the district MAN). These are simply there to log misc info so that we have logs of stuff. It does become troublesome to track it all down if/when we have a problem but it has helped prove our case in an instance of trouble or two.

AS to other comments/questions:

moonlit wrote:

Did you mean that you change the boot order to only boot from the local C:, rather than anything other than the local C: ?

A. Yes, that is what I meant. It in no away stops the determined individual, but it stops most of the general people.

moonlit wrote:

Did you mean that there would almost certainly not be a discussion on this topic?

That's exactly what I meant.

I proofread everything once or twice, but when its 1 am and you've had a long day configuring a Mac OSX Open Directory Server that didn't want to cooperate well, these mistakes are acceptable, or so I would think.

-Manuel

BTW: This is a good attempt at social engineering. While I am not providing every detail, it is enough that a social engineer could have fun ;).

[Freakish]

Student questions

Why in hells name do you want to go to site that are most obviously prohibited when you can wait 7 hours and go home?

Well for most people they try to get to the site to play games and such, but for me getting past the schools network is a game.

--They block sites

-I start putting a . at the end of the url

--They block that

-I start using proxies

--They block proxies

-I find the post about alevelwork.com

--I win that round

On Friday I topped myself and got into the C: drive now I can install MSN, Firefox, snes emulator, w/e I want. Today was the end of the year, but god I'm going to have some fun next year.

P.S. Sorry but I'm not going to say how I got into the C: drive, people start mis-using it, then it will end up being patched.

[ZeR0BuG]

lol Group Policy editor.... they dont blockit at my school.. even though thats what they use at my school to lock down all the pcs

[Shaun]

P.S. Sorry but I'm not going to say how I got into the C: drive, people start mis-using it, then it will end up being patched.

How many people from your school read this forum then?

[Freakish]

I doubt that anyone from my school reads this forum, but I am the only person that I can trust to use this responsivly. I like to break through school security but I don't want to bring any harm.

[Shaun]

Are you suggesting someone from this forum is going to go to your school and damage the systems by "getting into C:" then?

[Freakish]

I don't think that someone is going to come to my school and damage the network. My school's computers are in pretty high lockdown I would think that some people on this forum have a school like mine. At my school you can only run programs that are from the C: drive everything else is blocked, we can't even right click. By being able to run any program I have given myself some nice power and I don't need it falling into the wrong hands.

Example: At the start of this year they had an account called the WHIMIS account. Someone discovered that you could open cmd on this account. This information falls into the wrong hands and suddenly computer labs are being completly shut down by remote. Later the WHIMIS account is removed from my every schools network in my distric.

[Shaun]

But my point is if no one at your school would know about it how would it affect your school? Or are you saying the access to the C drive is via a vulnerability in some software which is widely used in schools, which you don't want to be patched? (This doesn't affect me personally by the way, I'm not in school).

[ZeR0BuG]

lol I was trusted enough to have admin access so i dont care... lol