Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

Securing University Residential Networks? 55

Posted by Cliff from the taming-the-wilder-networks dept.
campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"
This discussion has been archived. No new comments can be posted.

Securing University Residential Networks? More

Securing University Residential Networks?

Comments Filter:

  • Lame, but good enough. (Score:5, Interesting)

    by vandel405 ( 609163 ) on Friday March 14, 2003 @06:46AM (#5510234) Homepage Journal
    I know it isn't the best answer. But, it works pretty well against the average joe. At UC Berkeley pretty much every ethernet port is guarded with MAC based security. So now if you have a user acting like a bandwidth black hole, you can easily just drop them off the network, and tell them to fix it via web based email. When they do, they tell you, you let them back on.
    • Thats what they do at our university (Univeristy of Manchester, UK), but one thing I've always wondered, why not simply pull the plug at the switch? No worries about mac address spoofing (although if the router is configured to block all macs on a certain port, then I guess it wouldnt matter).

      In the terms and conditions, they also have a whole load of draconian rules such as, dont run servers of any kind without permission, dont use NAT.. etc.. etc.. which translates in practise to - 'do what you like, but
      • To answer your first question, physically visiting the switch to physically pull the cable takes a lot more time (especially at physically large universities) than telneting to the router to kill the MAC.
        • but you can telnet to switches too.
        • Yeah I guess, in the case of the halls of residence where I'm at, the distance between the admin and the switch is next to nothing, so I thought nothing of having him get a little exercise when removing somebodys net access. However, as has already been mentioned I think, it is possible to have the port disconnected remotely also (well it would be switched off.. although a nice little robot arm to do the unplugging would be pretty funky).
      • When I worked in a ResNet, we didn't just block the mac, we turned off the port on the hub. No worries about any spoofing. This required smart hubs, but I'm sure current equipment can do it just as well.
    • Sounds good... At least, until your Trojan writers get smart and start messing with the drivers, switching MAC addresses randomly...

  • Scan machines, and turn off ports (Score:5, Interesting)

    by danielwright ( 114541 ) on Friday March 14, 2003 @07:00AM (#5510279)
    The school I go to has an effective policy: firstly, they routinely scan the entire campus network for vulnerable machines using nessus.

    If they find vulnerable machines, or if they detect that a machine has been compromised, they notify the owner, and if the problem is not corrected in an appropriate amount of time, turn off the connection at the switch. If that happens, the owner has to prove that the machine is fixed before they will turn it back on.

    Admittedly, this is a little draconian, but the other residents appreciate that the network isn't constantly congested with dos attacks from compromised machines in their dorm.
    • Yeah, and the way to do this is by checking the MAC address so the offendor can't just switch ports. If you wanted to be TRUELY EVIL, force them to use PPPOE... Heh Heh.... Hmm, Nah, I wouldn't want to push THAT on anyone (like the baby bells do...) It's a little TOO evil. :-)
      • > Yeah, and the way to do this is by checking the MAC address so the offendor can't just switch ports.

        It depends on what environment the computer is in. In a residence, the student has only one port available to him, so he'd have to pick up his computer and move to a friend's room to switch ports (and unless he's malicious, he won't do that). Faking a MAC address is much easier though - it's a simple software setting (how simple depends on your operating system).

  • Block/Disconnect (Score:1)

    by Anonymous Coward
    OK,

    I've been off the university student network [kuleuven.ac.be] for some years, but there are occurrences where the user is just disconnected from the network. A mail is sent to the user, the mailbox is monitored and from the moment the mail is checked, the user is disconnected.I guess that works as a motivation.

    They block almost everything and script the hell out of the logs AFAIK. Most common file sharing programs are detected and mails are sent out to the users, irrespective of what the content is on those programs (w
  • I know at the uni I go to, at least one of the residential colleges (which shall remain un-named), they're still suffering from one of the outlook-exploit viruses that's over two years old! It's not Melissa or the I-Love-You, but something of that kind that the unpatched Windows boxes continue to pass around the college network, choking up bandwidth.

    I think that having sysadmin's regularly scanning all machines on the network for known exploits, and then sending them an email informing them how to patch th
  • . . . but one thought is to use non-routable IPs inside the ResNet. Harder to attack a machine that can't be reached, with the added bonus of P2P only working for push transfers.
    • This is not even a reasonable option. this effectively is a DoS to all yoru users requiring ident and other features that non-routeable IP's cannot do.

      Looking at my port forwarding rules on my router, if I were ever paying for access for a non routeable IP, I would stop paying immediately, especially since these students are paying hundreds of dollars per year in internet access (yes, the internet fee is directly included into the price of the room, per semester)
      • This is not even a reasonable option. this effectively is a DoS to all yoru users requiring ident and other features that non-routeable IP's cannot do.

        And what academic purpose does IRC, the only major service that requires ident, server? Anyways, ident certainly can be done by a proxy server for NATed machines.

        With respect to paying for service, yes, the students are--but schools aren't going to unbundle it--if they don't like what's provided, they're free to go to school elsewhere.

        • That is the most ridiculous blanket statement I have ever seen.

          Anyway, what about those other services that need identd? just because they aren't used often, doesn't mean they aren't usefull. NATing everyone is the most retarted thing you could do, and no amount of rationalization is going to fix that.

          "Lets charge our students outrageous network fees with tuition, and then NAT the fuck out of them. That will sure put our network to some GREAT USE!!! wah00000!"

          If you want to effectively stop outsiders to
  • Show them the software license, specicfically section seven which may or may not apply, and sections 11 and 12 which do apply:

    Section 7 (in part): If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.

    Section 11 (all): BECAUSE THE PROGRAM

  • Registration (Score:3, Informative)

    by Apreche ( 239272 ) on Friday March 14, 2003 @09:28AM (#5510633) Homepage Journal
    Here at RIT there isn't much of a firewall either, but there are a few things they do for security.

    1) E-mail filtering. They wont prevent e-mails from getting to you, but if there is an e-mail that possibly has a trojan attatched, then that e-mail is sent to you as an attatchment to another e-mail that warns you "possibly a trojan here".

    2)Registration. In order to get an IP address you have to visit a website start.rit.edu or somethign like that. You use your school name and password to get your static IP address. Each person is only allowed 2 or 3 addresses. If your IP is doing something, they just look up who you are. If you have an unregistered device taking up an IP address then they cut your connection, which will make your roomate kill you.

    3)Free anti virus software, they give out anti-virus software to all users for free.

    4)Prioritizing, they have made other traffic higher priority than file sharing traffic. And they have blocked windows file sharing over the net, but it still works internally.

    5)School rules. The most effective security measure are the usage policies. If you are caught Hacking, you get in serious trouble. It would be almost like throwing your expensive years of college down the toilet. People who have insecure boxes full of viruses and trojans which are doing all kinds of things are discovered quickly by other users, who have personal firewalls, and are geeks. RESnet then "takes care" of them. Just port scanning another computer on the network can ruin you.
  • At my place of business, whenever an IDS detects a machine that's infected with something or other, we simply add a static route to one of our core routers saying "anything coming from this IP should be routed to the bit bucket". This route then gets redistributed throughout the network, preventing any packet leaving the machine from going anywhere past their local switch.

    It's dirty, and called the ROD (Route of Death), but it works -- the end user figures out really quickly somethings broken, and also re
  • I work on a small college network (~1000 users) and have set up the residential network as a seperate network with routes to the academic network and the Internet. Access to academic resources is controlled by router ACLs and LDAP authentication.

    We monitor usage with ntop and nessus and post the names of the heaviest users of network capacity (but not the greatest security violations). If the community has a problem with the activity of the user, they can deal with that through the student government. T

  • At my university the main campus network isn't behind a firewall and is wide open to the net (at least, not any firewall worth speaking of).

    However, the accomodation network (dorms / halls whatever you call 'em) is behind the great firewall of doom.

    The idea being the private machines in the acomodation network are the only machines in the entire university that the sysadmins have no controal over (and are likely to be lusers unpatched windows boxes). Thus only these are firewalled.

    Admitedly, my universi

    • This is rediculous and since the students are paying out the ass for this access, really shouldn't be tolerated. Not only is this the most extreme use of a firewall to block access to PAYING USERS (yes, they pay a fucking fortune, more than 50/month they could be getting for DSL, included in the room fee) but it is just plain incompetance that any admin or policy would willfully do such a thing.
      • First off, both of you need to learn how to spell, just had to say it.

        How do you know how much the students at this person's school are paying for network access? Do you have any idea how much that network access costs? $50 a month will not purchase you all of the core routing equipment so that you can get (at minimum) 10 mbps connections to all of the campus servers. When you buy DSL, what do you get? One connection. At a Uni you are connecting to potentially thousands of other computers at very high spee
        • "How do you know how much the students at this person's school are paying for network access? Do you have any idea how much that network access costs? $50 a month will not purchase you all of the core routing equipment so that you can get (at minimum) 10 mbps connections to all of the campus servers. When you buy DSL, what do you get? One connection. At a Uni you are connecting to potentially thousands of other computers at very high speeds."

          This is just my point. wether this school is private or public, t
          • What are you talking about? Where do you get the idea that "the students are paying for at least half the bandwidth" ?? Not all colleges/universities are state schools either. Not all money into a University comes from students. Most, if not all, departments do research where they receive money, usually from the government, but more and more from corporations. This money is then used by departments to pay for computing services. Sure the students contribute to the money available for these services also, bu
  • I used to run an engineering school's dorm network from 95-97. We enjoyed the school's connection, which was then dispatched to all rooms.

    We were students ourselves, but acountable for what happend on the residence, and the school had one plug to pull to shut us out of internet (literally).

    Our most improtant protection was simply about having people responsible. We had them sign a check of a big enough amount for a student that we would bring to the bank it they broke the loaned ethernet adapter of if the

  • I run Apache, and I get regular IIS-scans from hosts on the UMass net (128.119.0.0/16). A quick email to some acquaintances of mine at OIT netops and, afaik, the offending MAC addresses are blacklisted until they demonstrate that they're patched.

  • We have a bigger problem with faculty here at my school, especially with the ones that think they know what they are doing and have either installed Microsoft Server Applications (MSSQL, etc.) or Linux (Usually RedHat 6.2 or something equally outdated).

    We can't usually turn their ports off because they pitch a huge fit (and when faculty bitch it is felt more than the students) and we have a hard time fixing it because they are all very paranoid and will only let a tech come look at it when they are in thei
  • Here at the Rochester Institute of Technology, all Windows file sharing ports are blocked between the internal network at the Internet. I believe Mac ports are turned off as well (along with SMTP, to boot). Any user who is violating the network policy in some way, be it running some sort of illegal file server or unknowningly hosting something of the same sort, has their network jack deactivated.

  • Use NAT... (Score:2, Insightful)

    by Slashed Otter ( 638972 )
    Set-up the whole network behind a machine doing NAT. Users can use DHCP to connect. If a user wants to run a server, give them an static internal IP and assign an external IP and forward all traffic through to their box. That way, only those who want to except the reposibility for securing their machines need to worry about security. It also gives you the option of disabling the forwarding rules if a user gets compromised too often.
  • Your first step is to block NetBIOS from the Internet. For more information about the University of Connecticut's efforts to do so, check out this site: http://security.uconn.edu/windows_block.html [uconn.edu]. NetBIOS should not be allowed to traverse WAN links, and you need to work on the network managers at your school ASAP to convince them to block it. Once that block is in place you can move on to fancier methods (local policies, Nessus scans, IDS, etc), but until this is blocked everything else will have you c
  • At my school, which has around 7000 undergraduates plus several professional schools, we employ several tactics to protect our network. We have a set of monitoring tools that detect abnormal network activity from viruses or machines that may have been compromised, as well as machines that are using unusally high amounts of bandwidth. We also have a system that requires registration of every MAC address on the residential network to a student's network ID, so every computer can be associated with a person.
  • I work for the Housing Dept at my school, doing tech support. We're just responsible from the jack in the room out, don't deal with routers/switches or wiring in the walls. All the rooms just have one jack, so if both roommates want to get a connection, they have to use a hub or switch (we won't help them with those little Linksys router type deals).

    When Network Services (the folks that watch the routers/switches) find someone that is abusing the network, they just turn off the port. Sometimes they'll c
  • Curious as to which University you work for and what your exact job is there...

    At CMU, we have a very nice perl script that we can use to add ACLs to our routers (Cisco 6509s) to block all traffic off the subnet to and from hosts who are infected or about whom we receive email from RIAA/MPAA/Random studio saying that they have been caught serving copywritten material. We force all users to register their MAC address with us, and all Residence network machines are using dhcp supplied static global IP addres
  • I know I am a bit late, but so far noboy else has mentionened LaBrea [hackbusters.net].

    This is a tool for linux and windows, that can even be run on a linux boot floppy on an unused pc.

    ""LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very lo

Slashdot Top Deals

"Look! There! Evil!.. pure and simple, total evil from the Eighth Dimension!" -- Buckaroo Banzai

Close