Sage Server with no internet access, need a creative solution

[QueOnda]

You could have it setup up through a bluetooth modem. Bluetooth dongle, your daughters cell phone. Then set up the server to call only at night time when the phone is around.

The only problem is getting a cheap or free modem internet number to be reliable.

[sainswor99]

Quote:

Originally Posted by QueOnda

You could have it setup up through a bluetooth modem. Bluetooth dongle, your daughters cell phone. Then set up the server to call only at night time when the phone is around.

The only problem is getting a cheap or free modem internet number to be reliable.

Do you even have to do that anymore? Can't she just use the data sharing plan on her phone? I can do that with my laptop and phone, but the phone has to be connected via USB.

just wondering aloud.

[briands]

Of course... she could just use placeshifter on her laptop and you could set up her server at your house!

[reggie14]

Quote:

Originally Posted by CollinR

I would simply add a wireless PCI card to the server and have it supply the laptop wirelessly. Lock that puppy down though.

Actually, I wouldn't recommend this approach. The school probably has a no-wireless policy. Both colleges I attended actively hunted down rouge APs and turned off the jacks to rooms when they found offenders. It didn't matter what kind of security protections they had (e.g. encryption, MAC filtering, SSID broadcast disabled, etc).

Quote:

Originally Posted by sleonard

Will she have any roommates? Do all of them have a PC? Just have one of the roomies register the Sage machine under their name.

Have you seen college dorm rooms these days? I think it's gotten to the point where 90% of college students have computers. It's probably even higher at private colleges, where the cost of a computer is pretty trivial compared to a year's tuition.

Quote:

Originally Posted by mickp

If I were trying to be a network fascist the first thing I'd do is implement 802.1x authentication per port. It wouldn't suprise me if this is how the bradford client works given what's been mentioned about dynamic vlan support.

They probably are doing something like this, but really the Bradford client isn't as much about restricting access as it is about verifying that anti-virus software is up to date and updates are installed.

Quote:

Originally Posted by mickp

If this is the case then it could be difficult to have it work with a nat device. The client may also pull nasty stunts (like the cisco vpn client) to disable all additional network interfaces .

I'm no expert when it comes to 802.1x, but it doesn't seem like it should matter. It seems like if you put a PC on the DMZ portion of the router and clone the PC's MAC address on the router, the 802.1x authentication will just occur on the PC. After authenticating, the network restrictions would be lifted on the router and anyone would be able to go through the router to access the network, since no authentication is performed on the actual data packets.

You sound knowledgeable about this. Is there some reason why that wouldn't work?

[wazkaren]

Quote:

Originally Posted by briands

Of course... she could just use placeshifter on her laptop and you could set up her server at your house!

That would be sweet, except Time Warner upload speeds are so slow from my house that it doesn't work very well.

Greg

[Menehune]

Could you connect the sage server to the laptop via a Firewire or USB connection? IIRC, XP allows ICS on FW connections.

[mickp]

Quote:

Originally Posted by reggie14

I'm no expert when it comes to 802.1x, but it doesn't seem like it should matter. It seems like if you put a PC on the DMZ portion of the router and clone the PC's MAC address on the router, the 802.1x authentication will just occur on the PC. After authenticating, the network restrictions would be lifted on the router and anyone would be able to go through the router to access the network, since no authentication is performed on the actual data packets.

You sound knowledgeable about this. Is there some reason why that wouldn't work?

Just a hunch more than anything. So far as I know 802.1x works on the datalink layer of the osi model. This is before we know whether a frame contains IP, netbeui, etc. I don't think the ip router will forward the frames onto the dmz as there's no ip information there.

Mick.

[reggie14]

mickp-

Ahh, OK. I think you're right then. I can't think of any reason a NAT router would pass those frames on to the DMZ, except to facilitate this "attack" on 802.1x.

With that in mind, I don't think the OP would be able to hook up a router to the network (at least, not without modifying the firmware on the router). So, I guess he's stuck trying to do something like ICS, which may or may not work depending on the bradford client.

Some geek at the school really ought to try modifying the DD-WRT firmware to pass on 802.1x messages to the DMZ. It seems like that would do the trick. It would actually make an interesting class project for an undergrad. I don't think it would be terribly difficult.

[mickp]

Quote:

Originally Posted by reggie14

mickp-

Ahh, OK. I think you're right then. I can't think of any reason a NAT router would pass those frames on to the DMZ, except to facilitate this "attack" on 802.1x.

With that in mind, I don't think the OP would be able to hook up a router to the network (at least, not without modifying the firmware on the router). So, I guess he's stuck trying to do something like ICS, which may or may not work depending on the bradford client.

Some geek at the school really ought to try modifying the DD-WRT firmware to pass on 802.1x messages to the DMZ. It seems like that would do the trick. It would actually make an interesting class project for an undergrad. I don't think it would be terribly difficult.

Yep. There's bound to be some code around for bridging. It may be something that could be done without any update on something configurable like a wrt.

Mick.

[reggie14]

Here's a way of setting it up that would probably work, depending whether the school does contact monitoring using the client, or just scans every few days (it probably only works with the latter). First, you need a hub and a router. You clone the MAC address of the laptop on the router, and plug BOTH the router and the laptop into the hub. This is sort of breaking one of the big rules in networking, but it doesn't cause any serious problems. Then, you use the laptop to authenticate to the network. After getting access, you disconnect the laptop from the hub, and connect it to the router. At this point, the router, and everything behind it, will just look like the laptop. Then it should work into the Bradford manager decides it needs to phone in with the bradford client. At that point you'd probably need to disconnect the laptop from the router and reconnect it to the hub.

Of course, now we're getting into a area where things might be detectable, depending on what the bradford client is doing. What I described above is really more of an attack on 802.1x authentication. Depending on what the Bradford system actually uses it might not work at all, or maybe just simply cloning the MAC address and placing the laptop on the DMZ would work.

In any case, I can't figure out why they wouldn't want you putting switches on the network. It seems like their system would work fine with switches, although the use of a switch would be very easily detected. Maybe you'll find that the IT staff doesn't actually care about switches, they just don't want people trying to hook up NAT routers.

[wazkaren]

That's an interesting idea, but I don't picture my daughter doing the cable switching. Since she only needs to get the Sage access to the network about once a week I think this might be more than she needs. This whole thread makes me wish I was there so I could experiment with it, sounds like fun. Next time I'm up there for a visit I will just try the switch and see what happens. I'm just curious, what is it about the switch that makes it so easy to detect?

Is there such a think as a KVM but for ethernet? So a box that she could plug both computers into and have a manual switch to select which is actually connected to the wall? That way the switch could be up on the table and she could just turn the switch one night a week. I tried Googling for it but it kept turning up KVMs that just transmit the signals over ethernet and are very expensive.

Greg

[QueOnda]

post 21 & 22 could be an option. If you get a cell phone charger which has a USB, it would charge the phone + you can either force it to update using Neim's webserver addon or set it up to dial out automatically.

Does the computer have a modem? If so, could you dial out just to download the guide once a week?

[wazkaren]

She doesn't have a data plan on her cell phone. Wouldn't that be expensive? I've never priced it out so I really don't know.

And her roommate is using the other data port.

[QueOnda]

Quote:

Originally Posted by wazkaren

She doesn't have a data plan on her cell phone. Wouldn't that be expensive? I've never priced it out so I really don't know.

And her roommate is using the other data port.

If you don't have a data plan, you can use the phone as a modem. Some DSL companies (if you have one) gives you a free dial up number. Or you can get a cheap dialup internet. You can use the computer to either connect to the phone via blue tooth or usb connection.

Here's an explanation on usb dongle: http://www.moonsidermobile.com/how-t...it-as-a-modem/

This will use minutes. But you can do this after hours when most plans are free.

don't know if these free internet sites will work: http://www.freecenter.com/dialup.html

[Menehune]

Quote:

Originally Posted by wazkaren

...Is there such a think as a KVM but for ethernet?

Something like this RJ45 switch?

[wazkaren]

Ah yes, that's what I was looking for. And a reasonable price. This will be a good temporary solution. Thanks!

Greg

[reggie14]

Quote:

I'm just curious, what is it about the switch that makes it so easy to detect?

A NAT router hides all the computers that are behind it. They'd all look like a single machine, since the NAT router modifies all outgoing messages to look like they are coming from the same source. Switches don't work that way. Each machine behind the switch would ask the school's DHCP server for an IP address. It would be easy for the school to see that there are multiple machines operating from a single ethernet port.

I can't decide whether I think they would be blocking switches. I've seen some things online that suggest they would, and I've seen others that suggest they wouldn't. If they don't block switches, you'd have to register the MAC address of both machines prior to connecting them to the switch (well, you might not have to, but you should). If the school's registration system doesn't let you register multiple devices (they probably do), you might have problems.

But, I was just doing some research and found a couple of interesting things out. First, it turns out my undergrad college started using Bradford Campus Manager during my senior year. It was actually really easy to get around- simple MAC cloning worked just fine. But, we didn't have to use a persistent client (they did network scanning instead). That could really screw things up for you. Still, you might want to try cloning the laptop's IP and putting in the DMZ of a router. It might work. But, it look's like Campus Manager is using 802.1x, based on some whitepapers I read, so it probably wouldn't work.

I also looked at Utica's website and found something interesting. They let you add gaming consoles to the network. This is interesting for two reasons. First, it implies they know people are going to be putting multiple devices on the network. How would this be possible if each student is only allowed 1 device per ethernet port (I suppose they could make you decide between a computer and a gaming console, but probably not)? So, I assume they're OK with switches. Even if they're not, it still means they have to have a way of registering gaming consoles. Typically this involves giving them the MAC address of the console. It makes me wonder how much trouble they go to to make sure the device you're registering is actually a gaming device. It might just be a MAC check (ie checking that the MAC address is in the proper range for a given device). If that's the case, you could clone a MAC address of, say, a Playstation 3, and claim your router is a PS3. Might work, might not. It's possible they do a scan of the device before letting it on, somehow checking that it is what it says it is.

Perhaps more interesting is that I found one school website that claimed Campus Manager supported "properly configured" routers brought in by students. I find that a little hard to believe, but maybe it's true. It seems like once you plug in a router though all bets are off when it comes to restricting network access. They might be talking about using the router like a switch, though. I wouldn't be surprised if switches are OK.

So, definitely talk to the IT people. I'm getting more and more convinced that their anti-switch/hub policy is really an anti-router policy misnamed. And if not, I think there are a lot of things you could have fun trying. I've seen at least one report saying that a variation of the DMZ approach works. I wish I could try this myself. We're going to be moving to 802.1x authenticated ports at work soon, and I think I'm going to try bypassing that with a hub and router for fun. But that's only half of your problem.

[wazkaren]

So is it just that both computers could be accessing the net at the same time that makes a switch detectable? Since Sage will only grab a small amount of data every 24 hours and if it updates the EPG in the middle of the night when she's asleep then both computers will not be accessing at the same time. Somehow I suspect it's not that simple. I'm probably showing my networking ignorance here. Their policy does state that you can use multiple computers, but only one at a time. I know when I was there I connected her laptop and could access the net. Then I swapped the cable to the sage PC and could access there also. So maybe a switch would work. I will definitely try the switch next time I visit the college.

For the game consoles, I saw that too. But I thought I read that they had specific gaming servers setup for them. But I might be mistaken about that.

I talked to my daughter last night. She said she doesn't mind switching the cable between the two computers so much. What she would really like is to get rid of the monitor on the sage PC and just use the SageClient from her laptop. My original plan was to do this with a switch. And use Remote Desktop from the laptop to the sage if anything was needed to be done at the sage PC (like log into the college network). But the switch is probably just a dumb device isn't it (Netgear FS105) . If she's using SageClient and talking to the Sage Server would the switch be smart enough to route the net traffic directly to the other port on the switch without going out on the net? Probably not I would guess.



Greg

[bluenote]

First: pretty much all things are detectable, especially when we start talking about running software clients on your side of the dividing line. The real question is .. what is detectable with a reasonable amount of effort (read: automatically) which comes down to .. what does the management software allow the IT department to check for.

I second the motion for starting a dialogue with the IT department. At the very least, you can get an idea of their motivations, how ferocious they are, and what the consequences may be for violating their policies. If you're lucky they will talk you through getting what you want.

Beyond that, set your EPG data to 11 ? or is it 13? days. Then teach your daughter (or, perhaps, automate) to trigger an EPG update when its plugged in. (I'm not sure what sage's behaviour is when an EPG update fails ... whether it trys again the next day at the same time, or if it continues to retry every XX amount of time). If it does not continually retry after failure, you may run into the problem of the EPG not updating even when the connection is plugged in.

Also, if they have a physical phone line you may simply be able to throw in a modem card and get some free dialup internet service implemented. (which you would then configure to only connect at certain times).

NAT is not a complete solution for hiding network devices, because your data streams can be interrogated and clues about network structure can be gleaned. Unfortunately I've been out of the game for a while so I dont really know what the state of the art is. And, when I used to manage, I preferred to err on the side of useability rather than paranoia.

Anyways, find out the social lay of the land and find out what happens if you break the rules, and how likely that outcome is. Then see if they will work with you. (but do not discuss your possible later options.)

Cory

[autoboy]

I would think the modem option sounds the easiest. With my Yahoo DSL they give you free access to modems that I use once in awhile on my laptop. The same can work for your sage server. Just make sure it doesn't make noises when it connects.