Tech Support HELL

Thumbs down on the brute force approach. Traffic shaping to restrict streaming video bandwidth to something like 1kb/s would be ever so much more insidious :P

From:

mogaribue.livejournal.com

Agreed. We've found the best way to deal with this is use QoS/Squid Delay pools. Let them watch their movies, just very, very slowly.

From:

When you figure out how to implement traffic shaping on a Netopia R9100 (vintage 1998), lemme know and I'll give it a shot. =)

From:

Step 1: Replace it with something made in the 21st century.
Step 2: ???
Step 3: Profit!

From:

There's only so much budget to go around - I'd much rather keep spending it on servers and multi-monitor setups and what have you than waste it replacing a perfectly functional router.

From:

Well, if you have a spare box with a pair of network interfaces and enough CPU/RAM (which shouldn't be too much), you can set up squid or something similar on it and put it as a transparent bridge in front or behind the existing router to add needed functions (traffic shaping, content filtering, spam filtering, etc).

From:

Sure, I've considered replacing our OpenVPN server with a box running Endian Firewall and putting it inline with the internet pipe instead of routing VPN traffic only through it. But that's pretty low priority. The email is already filtered at the server level, and if I was actually going to introduce something complex inline with the network feed itself it would DEFINITELY be for the reason of malware filtering, not traffic shaping.

"Kill video sites" is more than granular enough to meet my needs for traffic shaping at the moment.

From:

This approach depends upon you killing video sites faster than the user can find them, and there are a lot to go around; then there's question of proxies, VPN connections, etc, etc. Of course it requires some technical knowledge on the part of the user, but hey, apparently they have nothing better to do...

From:

It's often a mistake to try to find complex technical solutions for simple human problems.

The correct response to users who proxy or VPN around blocks to watch videos is not to play technical one-upsmanship with them, it's to fire them.

From:

True that, but if network admins were the ones responsible for firing people, the world would've been a much different place :)

From:

...?

Dude, I might or might not be able to get somebody fired for watching streaming video at work. (I most likely could, but I would almost certainly not try.) Someone who deliberately contravenes security measures, on the other hand, is fucking toast.

Slapping down a netblock is like locking my house. It's a hell of a lot harder for a 10 year old kid to stammer excuses about why you found him in your living room when he's holding a bigass screwdriver and the sill is broken on one of your windows than if he just walked in through the open front door. "Oh um I saw a cat... in the yard? And I thought it was yours?" Nice try junior, now you and me and that big fucking screwdriver are going to go have a talk with your parents.

From:

That depends on how the management relates to network admin and the employee in question. In, unfortunately, too many cases, it's the admin who will be told to stop screwing around :(

From:

If your management won't allow you to do the job they hired you to do, it's time to either 1) find a new job or 2) cowboy up, grab some sack, and stop being a doormat.

From:

There's management, and then there's management. What do you do when it's your immediate boss, who happens to own the business, hogging all the (quite limited) bandwidth by emailing porn to a list of a couple hundred people? True story there, except thankfully it wasn't my boss.

From:

dagbrown.livejournal.com

Ah, that would be "polish up the resume and find new job" time. If the company's boss spends all his time looking at porn instead of working, the company's doomed.

From:

Owner's habits notwithstanding, they've been in business for quite a long time, and show no signs of closing down.

From:

jecook

+1.

Our company has a nanny filter installed on our T1 to the net that filters, (among other things) LJ. It's specifically mentioned during employee orientation that everyone who gets a network account that internet useage is monitored heavily, and that mis-using it is ground for disiplinary action and/or termination. Trying to get around said nanny filter is grounds for an instant termination.

Strangely enough, though, things like craigslist and youtube are not blocked. (I know that You tube used to be blocked, but someone managed to talk the network admin into deblocking it. go figure.)

From:

benatwork.livejournal.com

The nanny filters here used to block livejournal.com. But *only* livejournal.com. username.livejournal, community.livejournal, all of those still worked. It only lasted about a week, though, since it was a new filter that is a whole lot less effective and badly configured than the old one.

From:

Only if you can.

My current business won't let me do more than give them an official verbal warning. So, I just shut off ALL external access.

I'm in a one-deep position here, so they really are welcome to fire me.

From:

superbus.livejournal.com

Easy:

"Sir, your intern is killing my bandwidth and seemingly has nothing better to do. Here are my packet logs."

From:

The router may work, but it's ten years old. There are too many was around for a serious line of defense.

Time to move on, and reuse it somewhere else.

Personally, I like my SonicWall firewall. Especially since there is another group of people creating long lists of Proxy sites, pr0n sites, advertising, etc. that I can block.

From:

mogaribue.livejournal.com

We use a Squid proxy with delay pools, offending sites get dumped in there. We also use a Fortigate to block pr0n and do AV filtering.

From:

erikarn.livejournal.com

People still use Squid? Cool.

*duck*

From:

http://users.livejournal.com/hub_/

priceless :-)

good job :-)

From:

arabwel.livejournal.com

*appalause*

From:

nem0.livejournal.com

Oh zing.

Same thing happened to me today, heh. Except the user's out until Monday, so I can't lay the smackdown on him yet.

It was kind of funny. I did a speed test on our network, got shitty speeds, traced which cable going into the switch panel was connected to his machine, yanked it, and ran another speed test. Our network instantly kicked back up to optimal speeds.

Remember, kids, don't mess with your BOFH.

From:

reddragdiva

This is why keeping an antique 1baseT hub around to put between miscreant's cable and the switch is always useful. Half-duplex, of course.

From:

snarl817.livejournal.com

ROFLMAO!

I remember when I was an admin. The Sr. Network Engineer was a friend of mine, and we had just finished moving our datacenter to a new location, but the internet feed was still going out of the main office in Minnesota. One day he walks over to my desk and asks, "Hey, USWest has just finished connecting our dual T1 to the Internet. It's being used right now by me and the DNS server. Do you want a static NAT?"

Yeah. LOTS of bandwidth, and NOBODY to complain. I downloaded a LOT of porn from USENET using tin, and transported it home on ZIP disks.

From:

brotherflounder

A true BOFH would have accidentally forwarded these conversations to the intern director.

Just sayin'.

Nice smackdown, though.

From:

brotherflounder

BTW, where are you working? If it's *at* USC, I now know why said intern gets away with that...

From:

nah. it's a private smallbiz.

From:

I don't know the Netopia R9100 - can you close all ports and JUST open the 4-5 you really need?

From:

(Quick search)

Ah. You should be able to block ports except for mail, web, and anything else you SPECIFICALLY need.

From:

superbus.livejournal.com

Basically, lock down to 80, 443, 25, 110, 23, and maybe a port for VPN?

From:

dagbrown.livejournal.com

23? I believe you misspelled "22" there.

From: