Securing University Residential Networks?

campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"

Registration

[Apreche]

Here at RIT there isn't much of a firewall either, but there are a few things they do for security.

1) E-mail filtering. They wont prevent e-mails from getting to you, but if there is an e-mail that possibly has a trojan attatched, then that e-mail is sent to you as an attatchment to another e-mail that warns you "possibly a trojan here".

2)Registration. In order to get an IP address you have to visit a website start.rit.edu or somethign like that. You use your school name and password to get your static IP address. Each person is only allowed 2 or 3 addresses. If your IP is doing something, they just look up who you are. If you have an unregistered device taking up an IP address then they cut your connection, which will make your roomate kill you.

3)Free anti virus software, they give out anti-virus software to all users for free.

4)Prioritizing, they have made other traffic higher priority than file sharing traffic. And they have blocked windows file sharing over the net, but it still works internally.

5)School rules. The most effective security measure are the usage policies. If you are caught Hacking, you get in serious trouble. It would be almost like throwing your expensive years of college down the toilet. People who have insecure boxes full of viruses and trojans which are doing all kinds of things are discovered quickly by other users, who have personal firewalls, and are geeks. RESnet then "takes care" of them. Just port scanning another computer on the network can ruin you.

Re:Lame, but good enough.

[forsetti]

To answer your first question, physically visiting the switch to physically pull the cable takes a lot more time (especially at physically large universities) than telneting to the router to kill the MAC.

Re:Scan machines, and turn off ports

[danielwright]

> Yeah, and the way to do this is by checking the MAC address so the offendor can't just switch ports.

It depends on what environment the computer is in. In a residence, the student has only one port available to him, so he'd have to pick up his computer and move to a friend's room to switch ports (and unless he's malicious, he won't do that). Faking a MAC address is much easier though - it's a simple software setting (how simple depends on your operating system).