Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing University Residential Networks?

Posted by Cliff on from the taming-the-wilder-networks dept.

campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"

2 of 55 comments (clear)

  1. let them police themselves by imsmith · · Score: 2, Insightful

    I work on a small college network (~1000 users) and have set up the residential network as a seperate network with routes to the academic network and the Internet. Access to academic resources is controlled by router ACLs and LDAP authentication.

    We monitor usage with ntop and nessus and post the names of the heaviest users of network capacity (but not the greatest security violations). If the community has a problem with the activity of the user, they can deal with that through the student government. The school lets the students have a pretty free environment, but it does force an authentication for outbound Internet traffic and enforces a ban on duplication of college provided services (like DNS and SMTP servers).

    This has worked well for about a year and a half without much trouble and has let the residential network maximize the capacity of their their 10Mbs network and its T-1 uplink.

  2. Use NAT... by Slashed+Otter · · Score: 2, Insightful

    Set-up the whole network behind a machine doing NAT. Users can use DHCP to connect. If a user wants to run a server, give them an static internal IP and assign an external IP and forward all traffic through to their box. That way, only those who want to except the reposibility for securing their machines need to worry about security. It also gives you the option of disabling the forwarding rules if a user gets compromised too often.