Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing University Residential Networks?

Posted by Cliff on from the taming-the-wilder-networks dept.

campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"

11 of 55 comments (clear)

  1. Lame, but good enough. by vandel405 · · Score: 4, Interesting

    I know it isn't the best answer. But, it works pretty well against the average joe. At UC Berkeley pretty much every ethernet port is guarded with MAC based security. So now if you have a user acting like a bandwidth black hole, you can easily just drop them off the network, and tell them to fix it via web based email. When they do, they tell you, you let them back on.

    1. Re:Lame, but good enough. by mivok · · Score: 2

      Thats what they do at our university (Univeristy of Manchester, UK), but one thing I've always wondered, why not simply pull the plug at the switch? No worries about mac address spoofing (although if the router is configured to block all macs on a certain port, then I guess it wouldnt matter).

      In the terms and conditions, they also have a whole load of draconian rules such as, dont run servers of any kind without permission, dont use NAT.. etc.. etc.. which translates in practise to - 'do what you like, but if you screw up the network, prepare to face our wrath, oh, and by the way, kazaa is EEEEEVILLL'.

      The university also 'recommends' installing a virus scanner (as usual), but they actually provide one for you unser their site license. Of course you still have the problem of making students install it, but its one step further than many other places I've seen.

      With regard to worms etc, I dont see the problem with blanket blocking of certain ports from the outside, perhaps allowing access to those who requested it provided they could demonstrate that they were competent enough to regularly install updates/patches. I dont pretend to understand how to implement that however (ensuring that those with full access actually installed patches and kept up to date would be problematic, and then theres the problem of new attacks, making complete port blocking seem easier), but the suggestion is there.

      Ultimately, you need to come up with a solution which protects/limits those who dont know/care about securing their own computers (default case), while allowing 'power users' (assuming you want to cater for their needs, which from the tone of your post you do) to have restrictions lifted in the special case.

    2. Re:Lame, but good enough. by forsetti · · Score: 2, Informative

      To answer your first question, physically visiting the switch to physically pull the cable takes a lot more time (especially at physically large universities) than telneting to the router to kill the MAC.

      --
      10b||~10b -- aah, what a question!
  2. Scan machines, and turn off ports by danielwright · · Score: 5, Interesting

    The school I go to has an effective policy: firstly, they routinely scan the entire campus network for vulnerable machines using nessus.

    If they find vulnerable machines, or if they detect that a machine has been compromised, they notify the owner, and if the problem is not corrected in an appropriate amount of time, turn off the connection at the switch. If that happens, the owner has to prove that the machine is fixed before they will turn it back on.

    Admittedly, this is a little draconian, but the other residents appreciate that the network isn't constantly congested with dos attacks from compromised machines in their dorm.

    1. Re:Scan machines, and turn off ports by danielwright · · Score: 2, Informative

      > Yeah, and the way to do this is by checking the MAC address so the offendor can't just switch ports.

      It depends on what environment the computer is in. In a residence, the student has only one port available to him, so he'd have to pick up his computer and move to a friend's room to switch ports (and unless he's malicious, he won't do that). Faking a MAC address is much easier though - it's a simple software setting (how simple depends on your operating system).

  3. It'd be unpopular as hell . . . by user+no.+590291 · · Score: 2, Interesting

    . . . but one thought is to use non-routable IPs inside the ResNet. Harder to attack a machine that can't be reached, with the added bonus of P2P only working for push transfers.

  4. Registration by Apreche · · Score: 3, Informative

    Here at RIT there isn't much of a firewall either, but there are a few things they do for security.

    1) E-mail filtering. They wont prevent e-mails from getting to you, but if there is an e-mail that possibly has a trojan attatched, then that e-mail is sent to you as an attatchment to another e-mail that warns you "possibly a trojan here".

    2)Registration. In order to get an IP address you have to visit a website start.rit.edu or somethign like that. You use your school name and password to get your static IP address. Each person is only allowed 2 or 3 addresses. If your IP is doing something, they just look up who you are. If you have an unregistered device taking up an IP address then they cut your connection, which will make your roomate kill you.

    3)Free anti virus software, they give out anti-virus software to all users for free.

    4)Prioritizing, they have made other traffic higher priority than file sharing traffic. And they have blocked windows file sharing over the net, but it still works internally.

    5)School rules. The most effective security measure are the usage policies. If you are caught Hacking, you get in serious trouble. It would be almost like throwing your expensive years of college down the toilet. People who have insecure boxes full of viruses and trojans which are doing all kinds of things are discovered quickly by other users, who have personal firewalls, and are geeks. RESnet then "takes care" of them. Just port scanning another computer on the network can ruin you.

    --
    The GeekNights podcast is going strong. Listen!
    1. Re:Registration by oyenstikker · · Score: 2

      They also block incoming port 25 on resnet, presumably so we can't run open relays. Of course, I'd rather they block 25 out, and make us use their SMTP server to send out. (Or would this not fix the problem?) At any rate, I can't run my own mail server. And to make matters worse, RIT doesn't have SSL on their IMAP servers.

      --
      The masses are the crack whores of religion.
  5. let them police themselves by imsmith · · Score: 2, Insightful

    I work on a small college network (~1000 users) and have set up the residential network as a seperate network with routes to the academic network and the Internet. Access to academic resources is controlled by router ACLs and LDAP authentication.

    We monitor usage with ntop and nessus and post the names of the heaviest users of network capacity (but not the greatest security violations). If the community has a problem with the activity of the user, they can deal with that through the student government. The school lets the students have a pretty free environment, but it does force an authentication for outbound Internet traffic and enforces a ban on duplication of college provided services (like DNS and SMTP servers).

    This has worked well for about a year and a half without much trouble and has let the residential network maximize the capacity of their their 10Mbs network and its T-1 uplink.

  6. Use NAT... by Slashed+Otter · · Score: 2, Insightful

    Set-up the whole network behind a machine doing NAT. Users can use DHCP to connect. If a user wants to run a server, give them an static internal IP and assign an external IP and forward all traffic through to their box. That way, only those who want to except the reposibility for securing their machines need to worry about security. It also gives you the option of disabling the forwarding rules if a user gets compromised too often.

  7. You need to start by blocking NetBIOS by milspec74 · · Score: 2

    Your first step is to block NetBIOS from the Internet. For more information about the University of Connecticut's efforts to do so, check out this site: http://security.uconn.edu/windows_block.html. NetBIOS should not be allowed to traverse WAN links, and you need to work on the network managers at your school ASAP to convince them to block it. Once that block is in place you can move on to fancier methods (local policies, Nessus scans, IDS, etc), but until this is blocked everything else will have you chasing your own tail in circles cleaning up after a constant string of compromised hosts.

    If you are serious about this and want help, email security@uconn.nospam.edu and I am sure they will be glad to give you some advice. :)