Domain: netreg.org
Stories and comments across the archive that link to netreg.org.
Comments · 9
-
NetReg
If you check out NetReg, in the download and installation instructions they have steps on how to set up forwards like this. NetReg uses it to require people to register their MAC address. Anyone not registered is forwarded to the registration page, but it would be simply to modify it using their example. We use NetReg at our university, and I am working expanding some of its functionality for my senior project.
-
NetReg
It's used at my university to link a user name with a particular IP and MAC address. I imagine it could be used in this scenario as well. http://www.netreg.org/
-
Re:Is this really that hard?
Actually, yes it can be. I work for a university where the administration is too weak to take ownership and responsibility of the network. As a result our residential network it always trashed and useless to the students. If you are lucky to get the administration to back you up, here are some ideas.
1. Create some policies that lists expectation and consequences of violating. I will refer you to Allegheny College and their policies (note: I do not work for this college, I just respect them for clearly stating their policies.)
http://helpdesk.allegheny.edu/gatornet/antivirusre q.php
2. I will also refer you to NetReg since you only have access to the DHCP server and that is what NetReg does. I encourage you to read the "Contribution" area and some of what other colleges have done. You may also pickup April's issue of "Sys Admin" magazine as they cover some of the contributed work to NetReg.
http://www.netreg.org/contrib/
3. Did I mention get some policies, consequences and support from the university's administration.
Hope this helps. -
+ ettercap
I forgot to mention, we used ettercap to detect attacks.
Ettercap:
http://ettercap.sourceforge.net/
Netreg:
http://www.netreg.org/
Netdisco:
http://netdisco.org/ -
NetReg
I also don't have any control over the network infrastructure itself, just over our DHCP server.
With this you have all you need to run a NetReg server within your infrastructure. With this you can allow users to register their machines automatically. Any user with a virus or other such malware gets their dhcp entry deleted, and they are on a private network that goes to where you define. I would allow antivirus sites, antispyware sites, and windowsupdate only (or better yet, a local mirror).
Have them send an e-mail to user@host once this is complete and you can re-activate their lease. -
Win needs a browser that uses minimal Win services
I worked full time for an University "ResNet" program where it was our job to get student owned computers in the resident halls on the network. Because of the DMCA complaints and network worm problems, we are using SWU's Network Registration System to force a login that is associated with the network card's MAC address. Of course, before prompting for username and password, we setup the system to use SSL encryption. What we found is that 1 out of 10 Windows XP machines either shipped without the DLLs for the Crypto Service properily registered or the registration was lost during install of XP SP1. Microsoft is even aware of the problem.
The bottom line is that about 10% of the students could not get to SSL encrypted web pages. The solution was to promote use of FireFox which doesn't have dependences on these broken Win32 services. What Robert Scoble considers to be an "improvement" for FireFox, I would consider to being a step back making it just as worthless as IE when something causes IE to break. -
Re:nmap on a router?
I think what they are 'trying' to say is the the router itself will scan your machine in a nmap way to see if it can find problems.
From what I've heard, it's some kind of 802.1x extension which takes the patch status of the system into account. It requires a fair deal of cooperation from the host, and we'll see if it makes a difference. I'm sure malware will be adapted accordingly if there's widespread use of this functionality.
The "scan before connect" idea has already been implemented by the NetReg project and its contributors. -
Netreg+PacketeerGet both: they will save you.
Netreg is a DHCP/DNS pseudo-server can also scan for open port 135. The student connects the computer and Netreg hands it an IP in a restricted domain and maps every IP address to itself, so the user can't go anywhere. (You can also alias windowsupdate.com to 127.0.0.1 so that the DOS attack won't affect anything) Copies of the various patches are on the Netreg server, so students can update. Until they patch the holes and agree to our user policy they might as well not be on the net. Once everything is ok it hands the computer a real IP and points it to our real nameserver, so after that they don't notice anything odd.
The Packeteer can shape the traffic on and off campus. We were burning huge amounts of bandwidth on ICMP until we told the Packeteer to kill it. This thing is a great tool: we can tell it to shut off all P2P traffic during "business" hours so students can't affect net performance during classes, we have it prioritize traffic so that email is assured, etc.
-
Re:Security Implementation HOWTO?
Umm, we implented a similar system years ago. It has nothing to do with wireless access.
-aaron