Hard Headed IT manager

Discussion in 'General Mac Discussion' started by Macpoops, Jan 12, 2004.

  1. Macpoops macrumors 6502

    Joined:
    Jan 15, 2002
    Location:
    PA
    #1
    Ok My schools digital media lab is about to undergo some chances some welcomed some imposed by the "Omni-precent and all knowing" IT head. Currently we have 2 labs 1 wired one with old 500 mhz G4 Graphites and 1 wireless with Quicksilver 733 mhz in it. The Wired lab will be upgrading to G5s and the Wireless lab has just converted to a wired lab and the airport cards removed(no real reason for them being there but no real reason for them to be removed either). I can accept that, but what i (and many other students with laptops) can't accept is his insistance on doing away with the access point entirely.

    I should have a chance to talk to him tomorrow morning, my proposal is the implementation of MAC filtering then having us registering our laptops, i know it'd be a pain in the butt but it would make the little powermonger control freak happy.

    Sorry about that i got caught up in the moment and forgot about what i was going to ask.

    Is MAC filtering a viable option? Any other thing we could propose cheaply other hten RADIUS and WEP? I know MAC addresses can be faked and WEP cracked, but how easily? I guess i'm looking for anything you can tell me that way i am alittle more educated on the subject then i already am.

    Possible reponses to this proposal he might have, and rebuttals i could use would be much appreciated.
     
  2. besson3c macrumors member

    Joined:
    Apr 9, 2003
    #2
    Re: Hard Headed IT manager

    Thanks for the story. What information are you looking for from us, or are you?
     
  3. ShadowHunter macrumors regular

    Joined:
    Sep 27, 2003
    Location:
    Fresno
    #3
    Re: Hard Headed IT manager

    Us IT managers can be of the powermongering sort. Call it an outlet for our social repression :-D. I'm pretty good most of the time, but I will admit my faults and admit I'm an arrogant asshat sometimes.

    As far as viable options, MAC filtering is probably your best bet. A lot of ISPs use that too, so its probably about as good as it gets for this sort of thing. Of course, the guy could just be an asshat and deny you for the sake of denying you. Though if one thing torques me off its IT managers who insist on using old technology either because of laziness or fear of the unknown (I know IT guys that still insist NT 4.0 is where its at!).
     
  4. Macpoops thread starter macrumors 6502

    Joined:
    Jan 15, 2002
    Location:
    PA
    #4
    Well when it comes to being fearful of new technology and not understanding this guy just maybe king and yes he is an arrogant asshat. Given my experiances with him he is very against wireless to begin with, mainly i think he doesn't understand it. I had a run in with him over a personal Airport station i had. He tried to explain to me 'how it works' well he failed to grasp the concept of NAT.

    One thing he is rather good at is faining his intelligence and hiding is ignorance....I love a challenge

    Any advice as a plan of attack? I'm already going to try to steer him toward the realization of a great "i just thought of that moment" getting him to think it was his idea, you know what i mean.
     
  5. ShadowHunter macrumors regular

    Joined:
    Sep 27, 2003
    Location:
    Fresno
    #5
    Oh, he's one of THOSE!

    Frankly, I don't know how these people get IT jobs, let alone as managers. NAT is a basic concept that is used on the simplest of internet sharing; anyone qualified for an IT manager position should be able to at least give a paragraph-sized explanation of the basics in what it is and how it works. It was real frustrating when I was 16 and interviewing for IT jobs, nobody took me seriously, especially since I didn't know the right "lingo," even though the asshats that were interviewing me didn't know diddly and were probably intimidated that I knew more then they did, or would try and learn til I did. Sorry, you just hit a nerve :D

    As far as a plan of attack; good luck. If the guy made a scene about your access point with that weak of an argument, I'm afraid you're out of luck. Just approach him with a couple of your laptop buddies, explain that you'd like to still use the wireless with your laptops, and offer the MAC filtering as a control method for security and monitoring. Don't get all huffy about it, just explain what you want and why, and leave it at that.

    What about an email on the same lines? You could CC his boss.
     
  6. Macpoops thread starter macrumors 6502

    Joined:
    Jan 15, 2002
    Location:
    PA
    #6
    I appreciate the feed back. And i understand why i struck a nerve with my story. I'm not even in a major that could be classified as IT and have a better understanding then some of our techs. We have a crap IT program to begin with and then they go out and hire the little asssmoochers to try to villify the department. He is one who's nose was very brown after his 4 years here. In my opinion he sucks at life. No offense to you, i don't know your situation or where you work, i am assuming you work for a business or large university and not a small (under 1800 students) college. He sucks at life because he
    A. got a job where he went to school so he never experiance the "real world" imo. B. Feels powerful because he controls a resource used by 18-21 year olds that will in all likelihood will go on to become lawyers and Doctors and be far more respected then he. And
    C. Controls this resource by acting like robocop. I.E. Tracking me down and pulling me out of my class to inform me that he's turned off my network access because i connected an "illegal device" IE Apple Airport Base Station (Snow), of which there is no defintion that fits said wireless device in the college policy.

    As you can see this guy can be a real cowboy. It was not my intention to offend anyone but this Man. So if i did offend anyone but the subject of my original story, i offer my sincerest appology. If you just so happen to be the subject of the story, I AM NOT SORRY
     
  7. anubis macrumors 6502a

    Joined:
    Feb 7, 2003
    #7
    chill out

    Chill out man.

    I'm not sure if you're in high school or at college. So i'll give you some advice for both cases.

    First of all, if you're in high school: your school DOES receive federal and state funds to operate. By federal law, all public school internet connections must have web filtering and monitoring software installed on every computer connected to the internet. Your school has to do this to maintain funding. Your IT manager may seem like he's just being mean, but he has to protect his own ass. You can't have unprotected wireless access points open to the world, where people can park their laptops near the access point and serve porn or hack the FBI. AT my high school, they didn't even allow students to bring their laptops to school and hook them up to the ethernet, because it was impossible to administer web filtering and monitoring on students' laptops. You're lucky your school even uses macs.

    If you're at a university, the same thing applies. They're not doing it to be mean, but they can't risk the liability of having an unrestrict wireless access point. At nearly all universities, mine included, they impose nazi-like requirements and restrictions on network usage. All computers must have anti-virus software installed and all updates must be installed at all times. Failure to maintain a flawlessly secured computer on the network can be grounds for expulsion from the university. Some universities even fine students $25-$50 for every virus found on students' computers, even if the student didn't know the virus was on their computer or how it got there. It's just something you're going to have to get used to.

    So just take it easy. Look at it from their shoes. If someone parks their laptop at an unsecured wireless access point and serves up illegal kiddie porn for a day, guess who's ass is grass when the police show up? The IT guy. You wouldn't want to be liable for something like that, would you?
     
  8. Macpoops thread starter macrumors 6502

    Joined:
    Jan 15, 2002
    Location:
    PA
    #8
    I go to a private liberal arts college thank you very much. I;m not arguing that it needs to be completely unprotected, securing is not the issue. The issue is why can't he secure the station instead of tearing it out making it extremly inconvient to use my laptop in the lab where, A. i need access to the server to hand in assignments aswell as download information preassemble by my profs. B. I need to be able to access the net to download possible content, tutorials, patches and other helpful information. C. Wireports and deskspace are limited. and just for fun D. Cables running all over the room to laptops could cause a safety hazard. You never know when some klutz is going to trip over a wire he falls on a desk breaking his nose and my PB goes flying onto the floor cracking the display, cost me several hundred to repair and the health insurance company several hundred to care for the klutz's broken nose

    What i am arguing about is why he feels the need to take it way after it's operated without incident for 3+ years. The schools has also received federal and state grants to develop wireless lans on campus of which 1 classroom has been equipped for this. 300,000 dollars worth of grant money and you equip one room?. The Wireless lan in question was set up with Digital Media Department funds not IT and not Grant money. Extensive Plans have been drawn up for campus wide deployment but this IT manager always steps in the way.
     
  9. ShadowHunter macrumors regular

    Joined:
    Sep 27, 2003
    Location:
    Fresno
    #9
    I'm afraid I side with macpoops on this one. This issue isn't about securing a wireless network, as it is about an assinine network admin.
     
  10. Rower_CPU Moderator emeritus

    Rower_CPU

    Joined:
    Oct 5, 2001
    Location:
    San Diego, CA
    #10
    Another IT guy checking in here.

    I try to be an atypically easy to approach IT guy, but maybe that's because I've never had any credential training. "Being an Asshat 101" must be part of the requirement. ;)

    At my school, most departments that have enacted a wireless solution on their own use MAC filtering. Our campus network group has been working on wireless for some time now with nothing much to show for it.

    Good luck. :)
     
  11. MattG macrumors 68040

    MattG

    Joined:
    May 27, 2003
    Location:
    Fletcher, NC
    #11
    At our school we use WEP. Anyone who wants on the network has to see myself or the network admin for the key.
     
  12. tomf87 macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #12
    Re: chill out

    It's not impossible and you don't need to touch every computer. You can filter web content, virii, and worms at the gateway.

    Okay, so it's a 3 year old AP. Siince this supports WEP only, unless the manufacturer provided an update to support WPA, I would agree that it would have to go. I would at least get a new one to support the latest security standards, as WEP is very easy to hack. In addition, just because it ran for 3 years without incident doesn't mean it's not susceptible to attack. Even with newer equipment, I would still implement MAC filtering and disable SSID broadcasting to try to hide it from the public.

    There are many corporations that will not implement wireless yet, as they cannot physically lock down the environment. For example, my company requires a badge to get access to the building. In addition, there are no network jacks in the public areas. This allows only authorized people to get access. With wireless, the signals go where they want to go, and anyone can connect.

    WEP is not secure at all. It has been proven numerous times that people can simply tap the network, watch the traffic, and derive the key. So, I wouldn't assume your network is secure because WEP is enabled.
     
  13. CrackedButter macrumors 68040

    CrackedButter

    Joined:
    Jan 15, 2003
    Location:
    51st State of America
    #13
    I seem to have the most nervous and socially inept admin ever, but he knows his stuff when it comes to macs, he is a good man.

    However, wireless access is a pipe dream at my college in the UK but we can bring our laptops in and hook them up to the network when admins are looking the other way... as the rumour goes.
     
  14. SiliconAddict macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #14
    Re: Hard Headed IT manager

    The job of any IT personal is to make a location as streamlined and easy to manage as possible or as my boss puts it: We are working to put ourselves out of a job. A wireless network has both benefits and disadvantages to their use. As a user not geared towards IT you see it as simple as slapping an access point into the room and you are done. There are A LOT of other considerations to take into account beyond giving you access to the network. The biggest being security. You speak of MAC access filtering but do you realize that is a maintenance intensive way of handling security? And what about support when someone is having problems connecting to the WIFI network? An Ethernet connection is pretty straightforward. Literally plug and play. That and you have at minimum double the speed of 802.11A/B/G on a 100mb/s connection. When you are talking security on a WIFI its down right pathetic. I’m constantly over at my friend’s apartment with my laptop. There is someone across the way with a WIFI network who has MAC filtering and 128-bit WEP turned on. MAC spoofing can be done in 3 clicks of a button or one command line entry :) WEP is harder and is also a PITA to manage. At any rate depending on the amount of traffic on the network there are utilities that can break WEP in less then a week. I broke my neighbors in 4 days but that was with setting up my laptop in the corner of my friend’s apartment for all 4 days. It’s an intensive process and for the average user/hacker/cracker they aren’t going to waste their time. My point isn’t if the admin at your school can secure your location. That CAN be done. Its how much overhead in maintenance will occur from doing such a thing? It’s really easy. Which is easier to deal with? A wired network? Or a wireless network?
    OK so I don’t know the size and scope of the lab/location where this WIFI AP is located but most labs are small enough that a WIFI network just isn’t practical.

    PS-Our company bans any wireless in our company with possible termination as a consequence if anything is placed on the network. WIFI is NOT a secure method. And frankly if there isn't a really good reason I wouldn't touch it until it matures.
    I know for a fact talking to MS employees that WIFI enabled on their networks have multi layered security on their systems. (I think WEP, MAC filtering with the connections sitting behind a VPN connection having authentication done via a RADIUS server. Or something along those lines. Its WAY intensive security.
     
  15. Macpoops thread starter macrumors 6502

    Joined:
    Jan 15, 2002
    Location:
    PA
    #15
    I may not be an IT related major. But i do know quite a bit more then your average sheep. I know the MAC filtering is an intensive process, it's a PITA doing it with 3-4 machines in my home let alone the whole 20-40 in the department. And WEP can relatively be easily cracked. I know that no matter what Wireless is an insecure by nature technology. Believe me i have a very vivid idea of what goes into setting up and Admining a wireless network. Support really wouldn't be too much of an issue because 98% of the students that run on this network are Powerbook and iBook users. IT only has mediocre, at best Mac support. People come to the DM department for Mac support not IT.

    My problem has to be the fact that it's run fine for years without even a hint of a problem yet all of a sudden there is this shift. I am however unclear all the security options of Wireless, and would imagine a combination of security techniques would me more secure then one alone. A combination of MAC filtering and WEP in my mind be secure enough for out purposes. Not like we are hiding secret government data. If someone wants to hack in an screw around with the WAWA commerical i made as a joke for my sophmore video class go right ahead.
     
  16. K12MacTech macrumors member

    Joined:
    Jul 29, 2003
    #16
    We have a very security conscious net admin in our district - sometimes a little bit too much if you ask me. BUT... we have wireless in all our schools and admin buildings. The steps he has taken are to:

    1. Make it a closed network. Yes someone passing by or intentionally trying to get on the network could see the signal, they need to know the name assigned to the network to access it. Not foolproof, but another barrier to pass. And if they guess the name of the network, they still need to know the key.

    2. All our airport base stations have been replaced with Cisco gear. Tranparent to end users, but much more secure with higher level encryption.

    3. Network resources require username/password to access from any computer, wired or wireless.

    4. Firewall filters for inappropriate material coming in, and also authenticates users before allowing accessing to non-district sites. i.e., username must have permission to go on the internet, or firewall will not allow access.

    This is not a perfect system, but our person recognizes that if you lock things down too much you interfere with the educational process that is supposed to be taking place. We have had our problems with occassional viruses, brought in by laptops, but basically they are not prohibited from connecting to our network.

    As far as MAC filtering, that sounds like your best option if he is willing. He could always implement some of the above as well. Ours didn't want to use MAC filtering because we have a few hundred laptops and desktops accessing via wireless, and he felt it would be a nightmare to keep the list maintained. But for a few users it should work.

    As a final resort, can you put an airport card in one of the desktop systems and setup a software base station? That might be enough to give you a quick access for transferring files from laptop to desktop. I'd rather be using a wired system for extensive network access anyway.
     
  17. SiliconAddict macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #17
    *sighs* This is why IT hates end users.

    [​IMG]
    [​IMG]
     
  18. Macpoops thread starter macrumors 6502

    Joined:
    Jan 15, 2002
    Location:
    PA
    #18
    Could have been done in years past but not anymore too many locks and such. I know i could do this but good ole IT would probably have a heart attack. In the regard we could also work as a team 1 of us with laptop plugs in to the network and acts as a software station... but now i'm just playing devils advocate
     
  19. K12MacTech macrumors member

    Joined:
    Jul 29, 2003
    #19
    Re: *sighs* This is why IT hates end users.

    Hey, I said last resort, and I didn't say he SHOULDN'T check with IT first. (OK, maybe I implied it, but when you have someone that stubborn, you need to get creative sometimes.) So you're right, it is not necessarily advisable. He would probably risk getting banned from his school's network altogether, depending on their policies.

    So, let's see if this is a more acceptable "last resort." Hook the laptops to desktops via firewire cable in target disk mode. Laptop users would be able to download files to their laptop disk, and could transfer files from the laptop to the server. This would accomplish macpoops primary objective as he stated it. Not perfect, but it should work.
     
  20. Macpoops thread starter macrumors 6502

    Joined:
    Jan 15, 2002
    Location:
    PA
    #20
    I am aware of my option. But you get used to using a certain computer and a certain feel ie i trust and prefer my laptop to the lab computers. It's also been very convient just popping my laptop on the desk and having all the access i want. I was looking strictly for options where the effect of the security wouldn't change the experiance. I've gotten mostly the answers i was look for and expecting.
     

Share This Page