Securing University Residential Networks? 55
campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"
Re:Univ. of Twente? (Score:2)
Lame, but good enough. (Score:5, Interesting)
Re:Lame, but good enough. (Score:2)
In the terms and conditions, they also have a whole load of draconian rules such as, dont run servers of any kind without permission, dont use NAT.. etc.. etc.. which translates in practise to - 'do what you like, but
Re:Lame, but good enough. (Score:3, Informative)
Telnet to switch (Score:1)
Re:Lame, but good enough. (Score:1)
Re:Lame, but good enough. (Score:2)
Re:Lame, but good enough. (Score:2)
Re:Lame, but good enough. (Score:2)
Sorry I waasn't clear -
Jon
Re:Lame, but good enough. (Score:1)
Scan machines, and turn off ports (Score:5, Interesting)
If they find vulnerable machines, or if they detect that a machine has been compromised, they notify the owner, and if the problem is not corrected in an appropriate amount of time, turn off the connection at the switch. If that happens, the owner has to prove that the machine is fixed before they will turn it back on.
Admittedly, this is a little draconian, but the other residents appreciate that the network isn't constantly congested with dos attacks from compromised machines in their dorm.
Re:Scan machines, and turn off ports (Score:2)
Re:Scan machines, and turn off ports (Score:2, Informative)
It depends on what environment the computer is in. In a residence, the student has only one port available to him, so he'd have to pick up his computer and move to a friend's room to switch ports (and unless he's malicious, he won't do that). Faking a MAC address is much easier though - it's a simple software setting (how simple depends on your operating system).
Block/Disconnect (Score:1)
I've been off the university student network [kuleuven.ac.be] for some years, but there are occurrences where the user is just disconnected from the network. A mail is sent to the user, the mailbox is monitored and from the moment the mail is checked, the user is disconnected.I guess that works as a motivation.
They block almost everything and script the hell out of the logs AFAIK. Most common file sharing programs are detected and mails are sent out to the users, irrespective of what the content is on those programs (w
It's a problem, alright... (Score:2)
I think that having sysadmin's regularly scanning all machines on the network for known exploits, and then sending them an email informing them how to patch th
It'd be unpopular as hell . . . (Score:2, Interesting)
Re:It'd be unpopular as hell . . . (Score:2)
Looking at my port forwarding rules on my router, if I were ever paying for access for a non routeable IP, I would stop paying immediately, especially since these students are paying hundreds of dollars per year in internet access (yes, the internet fee is directly included into the price of the room, per semester)
Re:It'd be unpopular as hell . . . (Score:1)
And what academic purpose does IRC, the only major service that requires ident, server? Anyways, ident certainly can be done by a proxy server for NATed machines.
With respect to paying for service, yes, the students are--but schools aren't going to unbundle it--if they don't like what's provided, they're free to go to school elsewhere.
Re:It'd be unpopular as hell . . . (Score:2)
Anyway, what about those other services that need identd? just because they aren't used often, doesn't mean they aren't usefull. NATing everyone is the most retarted thing you could do, and no amount of rationalization is going to fix that.
"Lets charge our students outrageous network fees with tuition, and then NAT the fuck out of them. That will sure put our network to some GREAT USE!!! wah00000!"
If you want to effectively stop outsiders to
Re:It'd be unpopular as hell . . . (Score:1)
And while your dig about "taking an extra cigarette break" each day might hurt if I were a university network admin, I'm not.
Show them the software license. (Score:1, Offtopic)
Section 7 (in part): If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
Section 11 (all): BECAUSE THE PROGRAM
Re:Show them the software license. (Score:1)
Oops!
I bet you meant to post this as a reply to this article [slashdot.org].
Registration (Score:3, Informative)
1) E-mail filtering. They wont prevent e-mails from getting to you, but if there is an e-mail that possibly has a trojan attatched, then that e-mail is sent to you as an attatchment to another e-mail that warns you "possibly a trojan here".
2)Registration. In order to get an IP address you have to visit a website start.rit.edu or somethign like that. You use your school name and password to get your static IP address. Each person is only allowed 2 or 3 addresses. If your IP is doing something, they just look up who you are. If you have an unregistered device taking up an IP address then they cut your connection, which will make your roomate kill you.
3)Free anti virus software, they give out anti-virus software to all users for free.
4)Prioritizing, they have made other traffic higher priority than file sharing traffic. And they have blocked windows file sharing over the net, but it still works internally.
5)School rules. The most effective security measure are the usage policies. If you are caught Hacking, you get in serious trouble. It would be almost like throwing your expensive years of college down the toilet. People who have insecure boxes full of viruses and trojans which are doing all kinds of things are discovered quickly by other users, who have personal firewalls, and are geeks. RESnet then "takes care" of them. Just port scanning another computer on the network can ruin you.
Re:Registration (Score:3)
Re:Windows Solutions (Score:2)
Patch push works great if all of your machines are similar in configuration, though.
Re:Windows Solutions (Score:1)
what if a MS patch fails on someones machine, they are unable to get it to boot, and their term paper is on it?
chances are if they're unsavvy enough to know how to run a patch on their own machine, they probably won't know how to pop out the drive and throw it in another box, are the network admins gonna do that for them?
Re:Windows Solutions (Score:2)
People like you are the reason that student unions/councils are a good idea.
Null Routes (Score:2)
It's dirty, and called the ROD (Route of Death), but it works -- the end user figures out really quickly somethings broken, and also re
let them police themselves (Score:2, Insightful)
We monitor usage with ntop and nessus and post the names of the heaviest users of network capacity (but not the greatest security violations). If the community has a problem with the activity of the user, they can deal with that through the student government. T
Firewall acomodation only (Score:2)
At my university the main campus network isn't behind a firewall and is wide open to the net (at least, not any firewall worth speaking of).
However, the accomodation network (dorms / halls whatever you call 'em) is behind the great firewall of doom.
The idea being the private machines in the acomodation network are the only machines in the entire university that the sysadmins have no controal over (and are likely to be lusers unpatched windows boxes). Thus only these are firewalled.
Admitedly, my universi
Re:Firewall acomodation only (Score:2)
Re:Firewall acomodation only (Score:1)
How do you know how much the students at this person's school are paying for network access? Do you have any idea how much that network access costs? $50 a month will not purchase you all of the core routing equipment so that you can get (at minimum) 10 mbps connections to all of the campus servers. When you buy DSL, what do you get? One connection. At a Uni you are connecting to potentially thousands of other computers at very high spee
Re:Firewall acomodation only (Score:2)
This is just my point. wether this school is private or public, t
Re:Firewall acomodation only (Score:1)
Used to run one... long ago... relied on people. (Score:1)
We were students ourselves, but acountable for what happend on the residence, and the school had one plug to pull to shut us out of internet (literally).
Our most improtant protection was simply about having people responsible. We had them sign a check of a big enough amount for a student that we would bring to the bank it they broke the loaned ethernet adapter of if the
Here at UMass... (Score:1)
I run Apache, and I get regular IIS-scans from hosts on the UMass net (128.119.0.0/16). A quick email to some acquaintances of mine at OIT netops and, afaik, the offending MAC addresses are blacklisted until they demonstrate that they're patched.
Problem not always the Students (Score:2)
We can't usually turn their ports off because they pitch a huge fit (and when faculty bitch it is felt more than the students) and we have a hard time fixing it because they are all very paranoid and will only let a tech come look at it when they are in thei
Re:Problem not always the Students (Score:1)
Port Blocking and Jack Deactivations here (Score:2)
Use NAT... (Score:2, Insightful)
You need to start by blocking NetBIOS (Score:2)
ResNet Management (Score:1)
At my school.. (Score:1)
When Network Services (the folks that watch the routers/switches) find someone that is abusing the network, they just turn off the port. Sometimes they'll c
Filter them all, let god sort them out (Score:1)
At CMU, we have a very nice perl script that we can use to add ACLs to our routers (Cisco 6509s) to block all traffic off the subnet to and from hosts who are infected or about whom we receive email from RIAA/MPAA/Random studio saying that they have been caught serving copywritten material. We force all users to register their MAC address with us, and all Residence network machines are using dhcp supplied static global IP addres
LaBrea (Score:1)
This is a tool for linux and windows, that can even be run on a linux boot floppy on an unused pc.
""LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very lo