General discussion

Locked

A head scratcher...monitoring student internet access.

By jefeolson ·
I got some really helpful information last time I posted here, so let's see what magic I can learn this time, hopefully my post will make sense, I'm still kinda dazed from a nasty power failure realted server crash today.

I'm working my first gig as the only IT for a small christian college, and have only had to worry about network access for 30 staff. Soon we will complete a new dorm project that will allow us to give access to 150 students, which within 2 years will be over 300.

So my current mind boggling problem I have to solve by the end of next month or so:

The background:
New construction has allowed students to have internet access in their dorm rooms, on their own computers. We have a filter in place that will block objectional content etc...but if something happens to slip by...repeatedly, habitually, constantly being accessed...(you get the picture) we (meaning my boss, meaning his boss...) want to know which student is accessing it and stop it.

The problem: Our current filter will track computer name and IP address or integrate with Active Directory and track login names.

No real easy way of tying computer names to students and I really don't want the added problem of having the students login to a domain.

My ideal way of solving this problem would be magic elves that fix it for me. But, in reality, I'm looking for something that:

A) Allows the college to track student internet use and tie that to a specific, unique identifier.
B) Does not require the college to add anything to the student computers.
C) Allows the student to essentially plug the network cable, turn on the computer and once it boots surf the internet without having to type in any sort of login name or password.

A) Is definitly a must.
B) This does not mean, configuration info, just no programs, logs, etc.
C) I'd like this to be reality, but I'm open to the fact that it won't be possible.

I know how I can accomplish this, roll AD to the dorms, bulk load student names, give "Power User" students permission to change passwords and unlock accounts (And have a VERY VERY simple password policy).

I've thought that through, but lets see some other ideas.

This conversation is currently closed to new comments.

54 total posts (Page 1 of 6)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

yup, there is

by Jaqui In reply to A head scratcher...monito ...

a simple way to do it, use a traffic logger on the gateway device, which will map exactly which room each ip is in, if you note the wiring correctly.

most of the student's computers, if not all, will be running with dhcp, so either they will have to be given an ip number, or else you will need a dhcp server in the system. it's easier to use the dhcp server, though by assigning ip numbers it makes monitoring for prohibited content easier.

The students will have a copy of the policy that says their online activities will be monitored for "objectionable" content?
[ a copy of it signed in the school records is good as well, signed by the student naturally. ]

Collapse -

Brilliant!

by jefeolson In reply to yup, there is

Yes! Brilliant!

Thy will have to sign an internet policy as part of registration, along with other paper work, so that's taken care of. In fact they already sign one, they do get some access through a library already so that is taken care of.

The plan is to run DHCP. Assigning static numbers was a thought, but it seemed impractical in the long run.

Jacks are already labeled by room and floor, and then that is noted on the punch panel, all I'll have to do is trace from the panel to the switch port. 4 jacks per room, so yeah, that works. Can at least narrow it down to 4 people, probably less, if there is a problem.

I'll see if I understand the process though, using a traffic logger I can back trace from the gateway back to the filter, back to the central switch, back to the local (dorm) switch to the dorm room. And with properly labelled jacks, know the specific jack that it came from.

Gateway->Filter->Central Switch->Dorm swich->Computer

I didn't even think of this. So simple.

What makes it even easier is the plan is to split each dorm into it's own subnet.

Brilliant! Brilliant!

So much hassel averted!

Collapse -

Oh but wait a second...

by jefeolson In reply to yup, there is

Maybe I'm not understanding how this works...actually.

Ok let me set up the example and you tell me if I'm on the right track.

In room 123 a computer is plugged into jack A123.
Jack A123 plugs into port 23 on the main switch for the dorm. (...Which runs to my central switch, which goes to my gateway, which goes to my hardware filter and my logger, which goes to the firewall, which goes to the internet...)

But I know none of the above. All I know is that the computer with the host name IMCOOL and the IP address 192.168.0.10 is looking at www.whatwouldyourmothersayifshecaughtyouhere.com

How do I go from knowing the IP address (and MAC address as well) to knowing which exact port on my switch this request came from. (I think figured it out all the way to back to the switch, but I can't make the leap from having 48 ports to having the exact port.)

Collapse -

that is

by Jaqui In reply to Oh but wait a second...

where you have to start working with log files from the dhcp server, to find the mac address that got the ip, the ip was from traffic log.

Collapse -

Ah!

by jefeolson In reply to that is

...that caught the rat...all in the house that jack built.

So I think it clicked now.

The MAC is our unique identifier for each PC.
Hostname can change, IP can change but the MAC for all intents and purposes is static.

From my log file I see that the IP address and MAC of the offender.

I go to my switch and look at the MAC address table and go "Ah ha! MAC 00:00:... is using port 6...[look at wiring map] and port 6 goes to jack 2A123."

Collapse -

MAC address

by dnuttall In reply to Ah!

Since MAC address is embedded in the hardware (really in the network card), why not take the ULTIMATE step in big-brother-watches-over-otherwise-adults and require that students register their MAC address when they sign their rights away to use the campus network?

You'll still have to do some reverse lookups from the DHCP logs, but you'll know quickly to WHOM the computer belongs.

Even more invasive would be adding technology that only allows authorized/known MAC addresses to obtain a valid IP address. I don't know if such a solution is practical or available, but it would advance your control and monitoring to a very high level.

Good luck.

Collapse -

best solution

by notoriousDOG In reply to MAC address

This way no one can say "I don't know who was in here with my roomate while I was gone. They must've plugged in a laptop."

Collapse -

Static DHCP

by Wally Bahny In reply to MAC address

Most DHCP servers offer a "Static DHCP" option which is set up using MAC addresses. Then, you just turn off the traditional DHCP. Unless the student registers their MAC address, they cannot access the network/Internet, and no foreign equipment can be used either.

Collapse -

save the DHCP logs

by Greybeard770 In reply to Oh but wait a second...

The IP address is good but in a DHCP environment that alone doesn't identify a computer in history. You need to have a process to show that an IP address visited an inappropriate site at date and time and then look on your DHCP logs (which by default rewrite every week) to show which MAC address had that IP address at that point in time. The DHCP MMC shows who has that address currently but isn't a promise for yesterday, even if the lease is a week.
I have a process that saves those DHCP logs for a month using system variables to include dates in the logs as they get rotated by day. I can share that if you are interested.
I don't have an answer for Johnny using Billy's computer, especially if they share a dorm room. That falls into the repeated patterns you need to define. And somebody will figure out that if they make their own static address (which they even change from time to time) they are off the DHCP records. Picking an address normally assigned by DHCP would be a problem for them but they could keep guessing until they get a good one.

Collapse -

Re: saving DHCP logs

by Understaffed In reply to save the DHCP logs

I would be interested in saving DHCP log assignments as you mentioned...

Back to IT Employment Forum
54 total posts (Page 1 of 6)   01 | 02 | 03 | 04 | 05   Next

General Discussion Forums