Handling User Grown Machines on a Large Network?

matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"

Domain logons

[kevin_conaway]

At my university, at least for the public machines, when you logon to the domain, a script executes that automatically patches your machine and runs fixblast and fixwelch. you might want to investigate into something like that

Possible solution

[Phleg]

Do some intrusion detection on the network--possibly through Snort. If any machine is spamming out MSBlast messages or Sobig emails, drop their connection via MAC address and refuse to give them another DHCP lease. Then, when the person comes in to complain, let them know their computer was infected and flooding the network, and give them a floppy with the proper security patch on it.

It might be a bit annoying to automate the process (except for handing out floppies) at first, but it seems like it could significantly help, while at the same time educating users to update their patches.

one way.

[grub]

Ensure that home machines (ones that you haven't configured) get IPs in a VLAN group which you've bandwidth throttled on the routers/switches along the say so the rest of the VLANs don't get choked by home-grown disasters.

Machines you have control over can get IPs in another VLAN which isn't throttled, or at least not as much as your "uncontrollable" VLAN. At the router where the VLANs can meet have strong ACLs and traffic flow control.

Just because you give them access with their own machines doesn't mean you have to give them unrestrained access.

managed switches

[Feyr]

assuming your network is switched, and your switch are "manageables" (ie you can log in them remotely)

you could have an IDS (or similar) with a rule looking for specific attacks (ie blaster). when you detect such an attack, fire off a script that shuts down the user's port on the switch. they'll bitch and moan that they can't access the net but you'll know who they are now and charge them a cleanup fee (make sure to include it in the terms of use)

another solution is to require anyone bringing a computer from home to have it inspected by your techs, block access based on mac address and only give them access once they passed the test. it does require more ressources tho, and ideally you'd still need the first option (in case where someone reinstall windows)

fix packets

[zumbojo]

I work as a tech for a major midwestern university. Aside from offering a website with complete instructions, we published packets bundled with CDs that guide the students visually through the process of fixing Blaster and Welchia and installing Norton AntiVirus. With so many pictures in the guide we have yet to have anyone mess it up.

Re:You could just...

[Anonymous Coward]

flooded with virii every now

Repeat after me: viruses not "virii"

Re:I'm actually wanting to know the same thing, bu

[NMerriam]

Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

unfortunately not -- updating random systems is harder that it seems. When we got hit at our university i helped out cleaning a bunch of systems and I couldn't believe how long it took -- Win2k installs had to have Service Pack 4 installed before you could apply the security patch for the worm, other dependancies changed because of that, had to install and update the university verson of norton antivirus, which refused to install on many systems unless I started them in safe mode, etc. All in all, the half-dozen systems i cleaned up took several hours because of all the rebooting and screwing around that was necessary before the patch could even be applied.

The XP and 98 systems were a piece of cake, though.

Re:forcefully

[Anonymous Coward]

Software update service (SUS) - MS website

Basically it Windows update server that you run yourself, you can approve which update it allows clients to download.

check it out.

What is happening at my university...

[acehole]

When the blaster worm hit, we had to work for a few days to clear the thing from the staff network.

Now that we well and truly cleared it after much scanning to make sure, we've moved on to the on-campus student's network.

We have to physically go to each room, patch and scan to remove both blaster and welchier.

It's both an annoyance for us and the students who pretty much treat us like unwanted guests on their pcs.

Re:My Uni's policy

[poj]

This is actually a very good idea. You block offenders in the switch. My school has done the same during this blaster episode, and I believe it has worked very well. Of course it helped that blaster came active before the start of the autumn term, because not all students had come here after the summer.

And of course, block the right incoming traffic in the border routers.

Re:managed switches

[bluehell]

> fire off a script that shuts down the user's
> port on the switch

oh yeah. then the script kiddies are going to spoof your packets and your *whole* network comes to an end. VERY good idea.

Block everything but HTTP

[Animats]

I'd suggest putting a stateful firewall in which examines the traffic from each MAC address, validates the IP address, and only allows HTTP transactions by default. Provide webmail for students, so they don't have to run a mail client. Put them all on encrypting cable modems, so local machines aren't on the same LAN. All they can talk to is the headend firewall.

In that configuration, they can surf the Internet freely, and can download anything they want, but can't mess up anyone else.

That's the default configuration. Students who want more have to go through the exercise of securing their machines, after which both the student and the machine get tested. Then they get more access.

Re:To start with ..

[benhaha]

what happens if a patch is bad and you suddenly have several thousand students show up screaming "your patch killed my machine with my term paper on it!"?

This happened to a friend of mine recently, only it was a hardware fault. The fact is that after fans, hard disks are the most failure-prone pice of equipment in the computer.

There is only one thing you can really do about this: Back it up.

If you are likely to be on the receiving end of the complaints, you may find it helpful to provide a backup service. It should consist of the following components:

• A password-protected location on the University's servers for each user where they can store X MB of data of their choice.
• Both Redundant storage and regular backups of same.
• A policy for what users may store there.
• An explanation of how to use the service, using, for example, NTBackup (free with XP) or similar software which is included with the operating system in question.
• Agreement in principle from the faculty that tutors, administrative staff, or IT staff will assist in the backup process. (Automating it might be a project for a couple of first year CS students).
• A document (electronic or otherwise) explaining all the above and making it clear that:
  1. The university requires them to run certain software, including up-to-date patches and virus scanners. The university recommends other software, such as personal firewalls.
  2. The backup service is available in case they have any problems, in particular problems related to software the university requires them to run, or recommends, but also other problems.
  3. It is the student's responsibility to run backups. If the student has not backed up recently and a problem occurs for any reason it is their own responsibility.
  4. They should ask their study partners tutors for assistance with the backup process if they don't understand it. Getting help is also their own responsibility.
• Regular/occasional emails and paper memos reminding the student of these facts. Get the student newspaper involved: It's much better if they run an education campaign rather than criticise you afterwards for doing too little.

Remember, the more the student body is involved and empowered (euphemism for being told it is their own responsibility), the less you will have to do about it.

If you really want to over-egg the pudding you might even make versioned backups available, so they can find what they had six weeks ago -- might be useful for some.

Good luck.

Re:So tired of this joke...

[HardCase]

But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.

Yes, but the key difference between insurance and the lottery is that the dangers that you purchase insurance protection for are real and have a statistically significant chance of occuring to you. The lottery ticket that you buy provides you with a statistically insignificant chance to win a pile of money.

I agree that I would be pretty darn happy to have the winning ticket or an insurance policy if either one paid off, but my chances of needing the insurance are significantly greater (by orders of magnitude) than are my chances of winning the PowerBall.

That doesn't even consider the different insurances that we are required to have by law or by contract. Get pulled over by the police without liability insurance and see what happens. Try to get a mortgage on a house without homeowner's insurance. How about getting a bank to finance a car without comprehensive and collision coverage? They require that coverage, not because the chances of needing them are greater than zero but because the chances of needing them are significantly greater than zero.

Just food for thought, the Department of Transportation says that about 20 million vehicles are involved in accidents each year and an individual driver can expect to be in one, on the average, every six years. So, if I pay my $40 per month in liability insurance on my car, in 72 months I'll have paid $2880.00. Earlier this year, my wife got hit by a car in a low speed collision. After the medical bills, repair bills and rental car bills were paid, the grand total came out to be about $8000.00. Now, our insurance didn't pay, but you can bet that the other driver was damn glad to have a liability insurance policy.

-h-

Re:No more

[arivanov]

Not really an option. And an incorrectly managed linux machine on an academic network can be almost as big threat to the outer world as windows. I am speaking out of experience as I have dealt with OC3+ floods coming from zombies in student dorms long before people started to apply "voodoo" to windows machines. It was linux, bsd, solaris and other unix systems in those (pre BO) times. Quite oftent it still is.

Still, you can very easily deal with it.

1. Move dorms to private addresses so that you do not have an address space constraint as the next step will eat addresses like there is no tomorrow.
2. Subnet the network into a small salad and put each slice of the salad into a separate VLAN.
3. 802.1q the vlans up to a linux box, bsd box or a cisco that has enough grunt to filter (72xx VXR or similar comes to mind, bigger ones have a hard time filtering, smaller ones cannot handle the bandwidth).
4. Filter on all 802.1q interfaces on the linux/bsd/cisco.

As a result you contain any clap to a small subnet.

Note that everybody will hate you initially. People definitely did hate me 8+ years ago as this was one of the things I did to deal with a similar problem (one dept in the building I managed was being hacked left right and center).

Actually

[KalvinB]

at my University, they've started to do that. If your machine is spitting out garbage they kill your connection and call (e-mail) whoever is responsible for maintaing the system and notify them that they need to get the problem fixed before their IP will become active again.

We havn't done it in our lab (there are multiple on campus) yet as there's no impending doom if we don't, but we're looking to secure our work area with a router that blocks all ports and then use 192.168.0.* IPs behind it. Which allows us to fresh install Windows or whatever and not have to worry about getting infected before we can get them up to date.

It'd be trivial for a University to setup such an area and if a user is trouble, kill their connection and call them and tell them to bring down their system to the secured lab to be patched and fixed.

My home network which has every flavor of Windows running was completely unaffected by the Blaster worm simply because I run a router intelligently.

It's really not that hard to not get infected.

Ben

Why not cut off infected computers ?

[Ezdaloth]

At our college, your machine is taken off the network (by disabling the port on the switch your machine is on) untill you install the patches and de-infect you machine. That means, you have no access to the internet, untill you call the helpdesk, and they will turn you back on so you can download the patch etc. Of course, you get locked out again if you don't. :) It works very well, cause when people get cut off the internet, they normally want to get back on it, so they will fix their PC very soon ...

Re:To start with ..

[dknj]

Could the school get a license from an AntiViri company to cover all students, force everybody to run it as policy, script the updates...

Yes and No. Unless the students agree to a school mandatory software policy then you're fine. Otherwise, McAfee offers a license to universities which allow all students and faculty to use virus scan software. At our school, everyone is urged to download the virus scanner though they are not required to (unless its a university owned computer).

I stay far away from the dorms because everyone seems to use me for help (i'm a sucker and will usually help them), so I don't know how our school is standing up to the worm in the dorms.

-dk

Network vulnerability scan

[homer_ca]

If your network hasn't been infected yet you can be more proactive by scanning for vulnerable Windows machines instead of for Blaster traffic. Use Nessus or Eeye's free RPC scanner. Then ban any vulnerable machines. This should be done in addition to and not instead of scanning for Blaster because the "good" Blaster will download and install the RPC patch.

Our University's Solution

[RedSynapse]

I work for tech support for a large (30,000+ students) university. This fall we're expecting as many of 30 percent of the machines coming to residence to be infected with a worm.

To defend against this we're going scan all machines over the network during the registration process and if the machine is vulnerable the browser will get redirected to a webpage with the relevant patches which the client must apply or they won't be able to connect to anything but our internal authentication vlan.

One of the reasons our networks get hammered during any worm incident is that there are so many machines connected to the network that just aren't patched ever.. Eventually we just have to manually shut down the ports infected machines are connected to and wait till clients call to complain to explain why they've been disconnected.

Re:managed switches

[qux.net]

That's actually exactly what we did. The router/firewall has rules to log and send SMTP and port 135 to a monitoring box, and the monitoring box also asks the router every few minutes for a dump of 30000 ICMP packets or 5 seconds worth, whichever is less, and based on rules to define virus-like behavior (and likely spam - either is against the AUP) notifies Network Services and the Help Desk. If it identifies an individual responsible for the machine they automatically get notified by the incident system when it is created (there is a delay in dropping the MAC into a restricted VLAN, so if they're checking their email...).

Works very well, although the Help Desk is rather busy due to all the people stopping by to pick up patch CDs.