Handling User Grown Machines on a Large Network? 611
matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"
Domain logons (Score:5, Informative)
Possible solution (Score:5, Informative)
It might be a bit annoying to automate the process (except for handing out floppies) at first, but it seems like it could significantly help, while at the same time educating users to update their patches.
one way. (Score:5, Informative)
Ensure that home machines (ones that you haven't configured) get IPs in a VLAN group which you've bandwidth throttled on the routers/switches along the say so the rest of the VLANs don't get choked by home-grown disasters.
Machines you have control over can get IPs in another VLAN which isn't throttled, or at least not as much as your "uncontrollable" VLAN. At the router where the VLANs can meet have strong ACLs and traffic flow control.
Just because you give them access with their own machines doesn't mean you have to give them unrestrained access.
managed switches (Score:5, Informative)
you could have an IDS (or similar) with a rule looking for specific attacks (ie blaster). when you detect such an attack, fire off a script that shuts down the user's port on the switch. they'll bitch and moan that they can't access the net but you'll know who they are now and charge them a cleanup fee (make sure to include it in the terms of use)
another solution is to require anyone bringing a computer from home to have it inspected by your techs, block access based on mac address and only give them access once they passed the test. it does require more ressources tho, and ideally you'd still need the first option (in case where someone reinstall windows)
fix packets (Score:2, Informative)
Re:You could just... (Score:1, Informative)
flooded with virii every now
Repeat after me: viruses not "virii"
Re:I'm actually wanting to know the same thing, bu (Score:3, Informative)
unfortunately not -- updating random systems is harder that it seems. When we got hit at our university i helped out cleaning a bunch of systems and I couldn't believe how long it took -- Win2k installs had to have Service Pack 4 installed before you could apply the security patch for the worm, other dependancies changed because of that, had to install and update the university verson of norton antivirus, which refused to install on many systems unless I started them in safe mode, etc. All in all, the half-dozen systems i cleaned up took several hours because of all the rebooting and screwing around that was necessary before the patch could even be applied.
The XP and 98 systems were a piece of cake, though.
Re:forcefully (Score:3, Informative)
Basically it Windows update server that you run yourself, you can approve which update it allows clients to download.
check it out.
What is happening at my university... (Score:5, Informative)
Now that we well and truly cleared it after much scanning to make sure, we've moved on to the on-campus student's network.
We have to physically go to each room, patch and scan to remove both blaster and welchier.
It's both an annoyance for us and the students who pretty much treat us like unwanted guests on their pcs.
Re:My Uni's policy (Score:2, Informative)
And of course, block the right incoming traffic in the border routers.
Re:managed switches (Score:2, Informative)
> port on the switch
oh yeah. then the script kiddies are going to spoof your packets and your *whole* network comes to an end. VERY good idea.
Block everything but HTTP (Score:3, Informative)
In that configuration, they can surf the Internet freely, and can download anything they want, but can't mess up anyone else.
That's the default configuration. Students who want more have to go through the exercise of securing their machines, after which both the student and the machine get tested. Then they get more access.
Re:To start with .. (Score:4, Informative)
This happened to a friend of mine recently, only it was a hardware fault. The fact is that after fans, hard disks are the most failure-prone pice of equipment in the computer.
There is only one thing you can really do about this: Back it up.
If you are likely to be on the receiving end of the complaints, you may find it helpful to provide a backup service. It should consist of the following components:
Remember, the more the student body is involved and empowered (euphemism for being told it is their own responsibility), the less you will have to do about it.
If you really want to over-egg the pudding you might even make versioned backups available, so they can find what they had six weeks ago -- might be useful for some.
Good luck.
Re:So tired of this joke... (Score:5, Informative)
Yes, but the key difference between insurance and the lottery is that the dangers that you purchase insurance protection for are real and have a statistically significant chance of occuring to you. The lottery ticket that you buy provides you with a statistically insignificant chance to win a pile of money.
I agree that I would be pretty darn happy to have the winning ticket or an insurance policy if either one paid off, but my chances of needing the insurance are significantly greater (by orders of magnitude) than are my chances of winning the PowerBall.
That doesn't even consider the different insurances that we are required to have by law or by contract. Get pulled over by the police without liability insurance and see what happens. Try to get a mortgage on a house without homeowner's insurance. How about getting a bank to finance a car without comprehensive and collision coverage? They require that coverage, not because the chances of needing them are greater than zero but because the chances of needing them are significantly greater than zero.
Just food for thought, the Department of Transportation says that about 20 million vehicles are involved in accidents each year and an individual driver can expect to be in one, on the average, every six years. So, if I pay my $40 per month in liability insurance on my car, in 72 months I'll have paid $2880.00. Earlier this year, my wife got hit by a car in a low speed collision. After the medical bills, repair bills and rental car bills were paid, the grand total came out to be about $8000.00. Now, our insurance didn't pay, but you can bet that the other driver was damn glad to have a liability insurance policy.
-h-
Re:No more (Score:5, Informative)
Still, you can very easily deal with it.
1. Move dorms to private addresses so that you do not have an address space constraint as the next step will eat addresses like there is no tomorrow.
2. Subnet the network into a small salad and put each slice of the salad into a separate VLAN.
3. 802.1q the vlans up to a linux box, bsd box or a cisco that has enough grunt to filter (72xx VXR or similar comes to mind, bigger ones have a hard time filtering, smaller ones cannot handle the bandwidth).
4. Filter on all 802.1q interfaces on the linux/bsd/cisco.
As a result you contain any clap to a small subnet.
Note that everybody will hate you initially. People definitely did hate me 8+ years ago as this was one of the things I did to deal with a similar problem (one dept in the building I managed was being hacked left right and center).
Actually (Score:4, Informative)
We havn't done it in our lab (there are multiple on campus) yet as there's no impending doom if we don't, but we're looking to secure our work area with a router that blocks all ports and then use 192.168.0.* IPs behind it. Which allows us to fresh install Windows or whatever and not have to worry about getting infected before we can get them up to date.
It'd be trivial for a University to setup such an area and if a user is trouble, kill their connection and call them and tell them to bring down their system to the secured lab to be patched and fixed.
My home network which has every flavor of Windows running was completely unaffected by the Blaster worm simply because I run a router intelligently.
It's really not that hard to not get infected.
Ben
Why not cut off infected computers ? (Score:2, Informative)
Re:To start with .. (Score:2, Informative)
Yes and No. Unless the students agree to a school mandatory software policy then you're fine. Otherwise, McAfee offers a license to universities which allow all students and faculty to use virus scan software. At our school, everyone is urged to download the virus scanner though they are not required to (unless its a university owned computer).
I stay far away from the dorms because everyone seems to use me for help (i'm a sucker and will usually help them), so I don't know how our school is standing up to the worm in the dorms.
-dk
Network vulnerability scan (Score:3, Informative)
Our University's Solution (Score:3, Informative)
To defend against this we're going scan all machines over the network during the registration process and if the machine is vulnerable the browser will get redirected to a webpage with the relevant patches which the client must apply or they won't be able to connect to anything but our internal authentication vlan.
One of the reasons our networks get hammered during any worm incident is that there are so many machines connected to the network that just aren't patched ever.. Eventually we just have to manually shut down the ports infected machines are connected to and wait till clients call to complain to explain why they've been disconnected.
Re:managed switches (Score:2, Informative)
Works very well, although the Help Desk is rather busy due to all the people stopping by to pick up patch CDs.