Slashdot Mirror
Securing University Residential Networks?
campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"
Oops, here's a link
-- Cheers!
I know it isn't the best answer. But, it works pretty well against the average joe. At UC Berkeley pretty much every ethernet port is guarded with MAC based security. So now if you have a user acting like a bandwidth black hole, you can easily just drop them off the network, and tell them to fix it via web based email. When they do, they tell you, you let them back on.
The school I go to has an effective policy: firstly, they routinely scan the entire campus network for vulnerable machines using nessus.
If they find vulnerable machines, or if they detect that a machine has been compromised, they notify the owner, and if the problem is not corrected in an appropriate amount of time, turn off the connection at the switch. If that happens, the owner has to prove that the machine is fixed before they will turn it back on.
Admittedly, this is a little draconian, but the other residents appreciate that the network isn't constantly congested with dos attacks from compromised machines in their dorm.
OK,
I've been off the university student network for some years, but there are occurrences where the user is just disconnected from the network. A mail is sent to the user, the mailbox is monitored and from the moment the mail is checked, the user is disconnected.I guess that works as a motivation.
They block almost everything and script the hell out of the logs AFAIK. Most common file sharing programs are detected and mails are sent out to the users, irrespective of what the content is on those programs (which is a bit too harsh).
The network is almost down to simple browsing over http, even combined with sliding downstream limitation windows.
I mainly quit because, due to increasing restrictions, it was getting pretty hard to have a decent server running with ssh/cvs/https. And that's worth a commercial service for me at twice the price.
This is the other side of the medal, and pretty annoying for non-windows-browsing-only users.
This almost makes a university network pointless (anyone can install a machine that is able to browse, and not being able to access your machine from other machines reduces it to M$ machines). I guess you can contact one of those sysadmins if you want to get BOFH scripts/blocks/advice.
There are some reasons why such drastic decisions needed to be taken though (e.g. cable access for ssh was extremely slow and basically not usable, vi over ssh for programming is not really an option anymore). I think this is combined with putting the software to secure the machines (with howto's) available, bought by the university with student group licenses. I assume that, if no actions are taken on your network, you'll end up in a simular situation where the network gets saturated (and unusable).
I know at the uni I go to, at least one of the residential colleges (which shall remain un-named), they're still suffering from one of the outlook-exploit viruses that's over two years old! It's not Melissa or the I-Love-You, but something of that kind that the unpatched Windows boxes continue to pass around the college network, choking up bandwidth.
...) until they do patch their PC.
.exe, .pif, .com extensions goes a long, long way. Okay, you need a firewall, but having a network such as yours that accesses the internet basically requires a firewall (at the very least!). You say you can't add one in the near future? Well ... you may be up shit creek. Seriously.
I think that having sysadmin's regularly scanning all machines on the network for known exploits, and then sending them an email informing them how to patch their system is a good idea. If they haven't patched it inside, say, three days, then block their PC from accessing everything you can (eg, college email account, internet access,
Also, disabling emails with
This sig intentionally left bla... dammit!
Who's got the whiteout?
. . . but one thought is to use non-routable IPs inside the ResNet. Harder to attack a machine that can't be reached, with the added bonus of P2P only working for push transfers.
Show them the software license, specicfically section seven which may or may not apply, and sections 11 and 12 which do apply:
Section 7 (in part): If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
Section 11 (all): BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
Section 12 (all): IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
So the straight answer is that the word indemnification does not occur in the license. Whether the license has no, little, or good indemnification should be judged by a lawyer. It seems as though the GPL protects those who wrote, modified, and distributed the programs in question from those who use the program, but doesn't seem to extend any special protections to those who use the program from their customers or other third parties.
-Adam
"I'm not a lawyer, but I play one on slashdot..."
Here at RIT there isn't much of a firewall either, but there are a few things they do for security.
1) E-mail filtering. They wont prevent e-mails from getting to you, but if there is an e-mail that possibly has a trojan attatched, then that e-mail is sent to you as an attatchment to another e-mail that warns you "possibly a trojan here".
2)Registration. In order to get an IP address you have to visit a website start.rit.edu or somethign like that. You use your school name and password to get your static IP address. Each person is only allowed 2 or 3 addresses. If your IP is doing something, they just look up who you are. If you have an unregistered device taking up an IP address then they cut your connection, which will make your roomate kill you.
3)Free anti virus software, they give out anti-virus software to all users for free.
4)Prioritizing, they have made other traffic higher priority than file sharing traffic. And they have blocked windows file sharing over the net, but it still works internally.
5)School rules. The most effective security measure are the usage policies. If you are caught Hacking, you get in serious trouble. It would be almost like throwing your expensive years of college down the toilet. People who have insecure boxes full of viruses and trojans which are doing all kinds of things are discovered quickly by other users, who have personal firewalls, and are geeks. RESnet then "takes care" of them. Just port scanning another computer on the network can ruin you.
The GeekNights podcast is going strong. Listen!
ADD to the Terms Of Service that Windows machines must be part of a domain. Create a domain to which you have the administrative control. Then deploy SMS. You now have control to send blanket upgrades and patches to all the machines. Periodically scan for machines that are not on the Domain, contact the offender, if they don't respond, pull the Plug on the network connection(actually if you have good switches all you really have to do is tell the port not to pass traffic.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
At my place of business, whenever an IDS detects a machine that's infected with something or other, we simply add a static route to one of our core routers saying "anything coming from this IP should be routed to the bit bucket". This route then gets redistributed throughout the network, preventing any packet leaving the machine from going anywhere past their local switch.
It's dirty, and called the ROD (Route of Death), but it works -- the end user figures out really quickly somethings broken, and also realizes that they won't be taken off the ROD until they've fixed their machine.
You can also use it to block one person at a time, rather than whole blocks of people or services.
but you can telnet to switches too.
Would you be so kind as to post which university you work for? A few collegues of mine would be happy to offer you a "free security analysis"
I work on a small college network (~1000 users) and have set up the residential network as a seperate network with routes to the academic network and the Internet. Access to academic resources is controlled by router ACLs and LDAP authentication.
We monitor usage with ntop and nessus and post the names of the heaviest users of network capacity (but not the greatest security violations). If the community has a problem with the activity of the user, they can deal with that through the student government. The school lets the students have a pretty free environment, but it does force an authentication for outbound Internet traffic and enforces a ban on duplication of college provided services (like DNS and SMTP servers).
This has worked well for about a year and a half without much trouble and has let the residential network maximize the capacity of their their 10Mbs network and its T-1 uplink.
At my university the main campus network isn't behind a firewall and is wide open to the net (at least, not any firewall worth speaking of).
However, the accomodation network (dorms / halls whatever you call 'em) is behind the great firewall of doom.
The idea being the private machines in the acomodation network are the only machines in the entire university that the sysadmins have no controal over (and are likely to be lusers unpatched windows boxes). Thus only these are firewalled.
Admitedly, my university takes this policy to extreams. In the accomodation network only ports 80 and 22 arn't blocked. Anyone wanting e-mail access or access to there home directorys has to SSH/SFTP to a unix box on the main campus network. This isn't as difficult as it sounds for windows using newbies. Many use graphical SFTP clients to get files and know how to SSH to a unix box to run pine.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
I used to run an engineering school's dorm network from 95-97. We enjoyed the school's connection, which was then dispatched to all rooms.
We were students ourselves, but acountable for what happend on the residence, and the school had one plug to pull to shut us out of internet (literally).
Our most improtant protection was simply about having people responsible. We had them sign a check of a big enough amount for a student that we would bring to the bank it they broke the loaned ethernet adapter of if they screwed up a lot.
So basically, pressure on us got translated to the students by ourselve.
By that time, security hole weren't that a big issue, and we just had to disconnect the visible warez. We also monitored MAC/IP matching, so we could pull the plug of the computer that fucked up easily, but that implied active monitoring (Ahhh the face of the guy to whom you say: "You were right changing your password today, but I found the previous one nicer...")
On the other hand, it's not so easy for the schools to pull the plug, because on the long run, we were saving them the money from upgrading the school's computers. (I guess now in the USA having a computer is a requirement for the students).
Seriously...I have been reading Slash for years and have never moderated...mainly cause I cant find it....will someone point it out to me real quick so I can mod this fuck down?
I have looked and can never find how you mod up or donw. thx!
http://www.tutsystems.com/
Supports subscriber isolation via broadcast scopes and/or unique vlan ids for every student, so it's very difficult for viruses to propagate by scanning computers on the local network, and compromised machines don't tend to hurt other local machines. Those accounts can also be disabled via a rule or an entry in a RADIUS server.
Provides a RADIUS accounting log, with or without RADIUS authentication, and unique IP external IP for every user, so when a DMCA violation occurs, the network administrator can use the notice to find the offending student and shut him or her down if necessary.
Is non-intrusive, accepting ethernet in and ethernet out, and supporting both static IP addresses and NATed addresses simultaneously.
Students who have static IPs or real IPs via DHCP (this is configurable) can still run servers if they like, and students who aren't interested in this can be NATed, so students have as much access to the network as possible.
I run Apache, and I get regular IIS-scans from hosts on the UMass net (128.119.0.0/16). A quick email to some acquaintances of mine at OIT netops and, afaik, the offending MAC addresses are blacklisted until they demonstrate that they're patched.
We have a bigger problem with faculty here at my school, especially with the ones that think they know what they are doing and have either installed Microsoft Server Applications (MSSQL, etc.) or Linux (Usually RedHat 6.2 or something equally outdated).
We can't usually turn their ports off because they pitch a huge fit (and when faculty bitch it is felt more than the students) and we have a hard time fixing it because they are all very paranoid and will only let a tech come look at it when they are in their office (a rare occasion for alot of faculty).
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
Here at the Rochester Institute of Technology, all Windows file sharing ports are blocked between the internal network at the Internet. I believe Mac ports are turned off as well (along with SMTP, to boot). Any user who is violating the network policy in some way, be it running some sort of illegal file server or unknowningly hosting something of the same sort, has their network jack deactivated.
"I'll say it again for the logic-impaired." -- Larry Wall.
Set-up the whole network behind a machine doing NAT. Users can use DHCP to connect. If a user wants to run a server, give them an static internal IP and assign an external IP and forward all traffic through to their box. That way, only those who want to except the reposibility for securing their machines need to worry about security. It also gives you the option of disabling the forwarding rules if a user gets compromised too often.
Your first step is to block NetBIOS from the Internet. For more information about the University of Connecticut's efforts to do so, check out this site: http://security.uconn.edu/windows_block.html. NetBIOS should not be allowed to traverse WAN links, and you need to work on the network managers at your school ASAP to convince them to block it. Once that block is in place you can move on to fancier methods (local policies, Nessus scans, IDS, etc), but until this is blocked everything else will have you chasing your own tail in circles cleaning up after a constant string of compromised hosts.
:)
If you are serious about this and want help, email security@uconn.nospam.edu and I am sure they will be glad to give you some advice.
hi dumb cunt.
- first you have to login
- then you have to metamoderate and wait.
- then once a shitload of people join after you do you can moderate.
but if you "abuse" your moderation status, they put you on a blacklist, so only fucks that lick the "editors" [term used loosly because the editors are fat sexless biased unintelligent nerd geek assholes without real jobs]
its called groupthink, censorship.
so with that i say
FUCK YOU YOU FUCKING GOD DAMN fucking FAG asshole bitch FUCKING PUKE. Fuck your little comment. Ill fuckig shove a hot curling iron in your ass and break your arm with an eastman baseball bat you fucking dumb bitch FUCKER.
At my school, which has around 7000 undergraduates plus several professional schools, we employ several tactics to protect our network. We have a set of monitoring tools that detect abnormal network activity from viruses or machines that may have been compromised, as well as machines that are using unusally high amounts of bandwidth. We also have a system that requires registration of every MAC address on the residential network to a student's network ID, so every computer can be associated with a person. An attempt is made to contact them and tell them to correct the problem. If the problem isn't corrected, we shut off their port at the switch. We also keep record of their MAC address and ID, so if they attempt to change their MAC or connect their computer to another port, we can stop them. We leave their access off until appropriate disciplinary action has been taken or the virus/whatever is removed from their computers. In order to assist people who cannot clean their computers themselves, we have a few trained student consultants that can fix it for them, and ensure that they have virus protection appropriately set up.
-Splat
OK tough guy, you didn't even come close to answering my question. All you did was curse.
"then you have to metamoderate and wait". Not an answer.
My question was...What is the process? Specifically, *HOW* do you add a point or remove a point from a comment?
BTW, Your vocabulary is astounding.
i am tough, and ill fucking kick your ass.
yes, if you dont metamoderate, youll be bored waiting to moderate, so fuck off again.
and fuckface, once you can moderate, every single fucking comment looks different because it has moderation tools RIGHT IN THE FUCKING COMMEN HEADER. how about that assfuck? or you could just read the FUCKING FAQ. dumb stupid bitch.
and about my vocab. if you knew anything about TSARKON you would know, i can turn it on or off. i can be sly snarky intelligent ominous and astonishing when I WANT. not you fuck. i use toilet talk for you because your mentality is inferior and i will speak with language that you can understand fucking ASS BOITCH BIIIATCH so fuck you cunt casket cnucasket mediocritomaton slashbot fucking LOSER. fucking fucking loser.
I work for the Housing Dept at my school, doing tech support. We're just responsible from the jack in the room out, don't deal with routers/switches or wiring in the walls. All the rooms just have one jack, so if both roommates want to get a connection, they have to use a hub or switch (we won't help them with those little Linksys router type deals).
When Network Services (the folks that watch the routers/switches) find someone that is abusing the network, they just turn off the port. Sometimes they'll call the person, sometimes not. My dept then gets to listen to the kids complaining that their connection is dead. We'll tell them why, usually some virus sending out hundreds of emails, and that they need to clean their machine. How they do it is their business, we tell em to go to a computer store if they can't do it themselves. Then we'll send someone out to make sure its clean, usually by installing the school's corp version of Norton AV. Day or so later, and they are turned back on.
People that are sucking down bandwidth w/ P2P apps will get a letter under their door. If it doesn't stop, they're turned off, and Network Services becomes pretty lazy about turning them back on.
FWIW, every computer on campus, not just in the dorms, gets a private IP address.
The residence life is a separate network, with a separate port on the firewall. If they want to use anything "special" on the main campus, they must VPN in. Of course we do port-blocking, private ip space for ORL (separate space from main campus) etc.... as a best-faith effort to block p2p crap and servers.
Curious as to which University you work for and what your exact job is there...
;-)
At CMU, we have a very nice perl script that we can use to add ACLs to our routers (Cisco 6509s) to block all traffic off the subnet to and from hosts who are infected or about whom we receive email from RIAA/MPAA/Random studio saying that they have been caught serving copywritten material. We force all users to register their MAC address with us, and all Residence network machines are using dhcp supplied static global IP addresses (static in that they do not change, not that they are manually configured). (see http://www.net.cmu.edu/netreg/ ). We are working on a very cool replacement for the ACLs that will allow a big red button, no ACLs and centralized killing of machines. Email me, and when the paper has been written up for the public, I can send a copy. I guarentee it is super cool
We are not using 802.1x port security, since OS support is not there for everything, and we do not want to limit users. The one mac addr per switch port is not interesting, since that would also unnecessarily limit users.
By filtering users off the network, we are giving them a reason to fix their machine. We do have a help desk and can walk users through various common problems, but do have a specific list of applications and OS's that we support. If it is needed to get things done for school, it is supported.
I know I am a bit late, but so far noboy else has mentionened LaBrea.
This is a tool for linux and windows, that can even be run on a linux boot floppy on an unused pc.
""LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time.""
So, while this would be no foolproof protection for your users, it would stop many of the simpler attacs and slow the rest down, and you would automatically be notified if someone tried to scan the whole network or a new code red tried to propagate