Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling User Grown Machines on a Large Network?

Posted by Cliff on from the where-infections-run-rampant dept.

matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"

14 of 611 comments (clear)

  1. forcefully by OriginalSpaceMan · · Score: 3, Insightful

    Force them to login to an Active Directory domain and hand out updates...

    --

    You talk better than you fool!
    1. Re:forcefully by bob670 · · Score: 5, Insightful
      Then who supports them when the latest Windows update hoses thier machine? It happens less than it used to, but I have one client who lets auto updates run, and one patch in paticular (810577) has brought network browsing to a crawl. We have done literally hundreds of test and narrowed it down to this patch, but neith the knowledge base, user community nor a direct (and expensive call) to MS support can fix his issue. Now he has users screaming about slow network browses to files and folders, time outs hitting their home-brewed data base and his phone never stops ringing. Now mulitply that by the body of a college campus?

      You'll need something more reliable than Windows if your plan is to mandate that sort of thing.

    2. Re:forcefully by Samari711 · · Score: 4, Insightful

      what about the seniors who are still running 98. then you also end up slowing down student machines and you get a bunch of unhappy students. micromanaging a few thousand computers who's specs are all over the board will cause more headaches than it solves

      --

      I never said I was smart, I just said I was smarter than you

    3. Re:forcefully by bob670 · · Score: 3, Insightful
      That sounds great in most cases, and it works perfectly in a controlled network. But in a school where students can carry in machines, where they can carry them offsite and connect to other networks, and where they can blindly apply upadtes without any testing, what your saying is just a good idea that won't happen.

      My client with the network browse issue won't listen to my advice about setting up a testbed for each model machine he has (which he can easliy afford, and he does have spare machines) or at least testing on one machine before rolling it out. He has Windows Update on a nightly schedule and won't turn it off, even after this happened. Just yesterday he told me he was pushing some "suggested" update this weekend, without testing or justification of need. And his last sentence was "I have never been bitten by being completely up to date with Windows Update", as I turned away to continue working on his browse issues at a decent hourly rate. It's okay with me, job security, but his life could be easier and his wallet fatter if he would do exaclty what you say (and I have suggested). Now multiply that by the size of the student body.

    4. Re:forcefully by Samari711 · · Score: 3, Insightful

      that might work fine for small colleges but it doesn't scale very well to medium and large schools. especially when the IT department want to do as little limiting of freedom as possible

      --

      I never said I was smart, I just said I was smarter than you

    5. Re:forcefully by mentin · · Score: 3, Insightful
      What an amazingly simplisitic viewpoint, do you work for MS support? Your blaming hardware that worked fine before a patch ...

      My NVidia card worked fine (under Windows) before I installed Linux, and still all Linux people blamed the hardware, saying there is some known problem with DVI support in old NVidia cards.

      Obviously, if you are developing OS (whether it is Windows or Linux) and don't have the benefit of being able to blame Gates or Linus for your bugs, there is still last chance: blame hardware!

      --
      MSDOS: 20+ years without remote hole in the default install
  2. Ban 'em by larien · · Score: 5, Insightful

    If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.

  3. Maybe give out some info to the people? by TheWart · · Score: 3, Insightful

    Here at my school, for the last week, starting about a day before freshman move in, they have had flyers *everyewhere* telling people not to hook up the network until they install this patch provided by the IT dept. Of course, there are still the bozo's that don't pay heed to the warnings....but there are lots of them in the world anyways.

  4. Re:You could just... by Phleg · · Score: 3, Insightful

    Because I'm sure that they'd far rather spend sixty times the amount of support costs trying to get users acquainted with Linux, rather than have their network flooded with virii every now and then.

    Now don't get me wrong--I'm just as much a die-hard Linux advocate as anyone, but it's just not feasible to tell every kid on a college campus to suddenly switch operating systems. They're going to need to figure out how, and you're going to be the ones to tell them. This is going to send your costs through the roof.

    He's trying to solve problems for his university, not create new ones.

    --
    No comment.
  5. Re:responsibility by gykh · · Score: 5, Insightful
    If you make them bear some financial responsibility for not checking their machines first this might help.
    Are you sure about that? What are you going to fine for? Not having a secure enough computer? Everyone (i.e. /.) knows security holes appear every week, major ones every 4 months or so. Do you fine someone who just reinstalled windows and was just logging on to download patches and got hit? For getting a virus? How about we tax stupidity next?

    Students go to university to learn and give back some knowledge, not to constantly maintain their tools.
  6. Re:Easy solution: by GeekDork · · Score: 3, Insightful

    This is so ridiculous that I'm still thinking you're joking. Either that or you haven't been in education for a long time.

    I'm a CS student. We often have the choice of buying an outdated EUR 6 hardcopy of a lecture script (without TOC or index), printing some 200 pages (on a printer quota that's sufficient for 150) or viewing the constantly updated script on-screen with search functionality. This holds true for at least four courses per semester. Without PCs, we'd be royally screwed.

    In most appartment buildings for students, the network is provided by the university over a 2MBit line with at least 10% packet loss, high lag and a 650MiB/month quota (traffic inside the uni network isn't counted). Bozos who don't get the rules get blocked at the inhouse switch.

    If they'd try to ban PCs they'd get only one thing: open revolt. I mean the stuff with burning administration buildings. Literally. Plus it'd be mostly unenforceable in countries with things like individual freedom. Oh, there's also the need to at least quadruple the number of terminals across the campus.

    --

    Fight hunger. Filet a politician and send him to a 3rd world country of your choice.

  7. Re:Possible solution by themassiah · · Score: 5, Insightful

    I was with you until this part: "drop their connection via MAC address and refuse to give them another DHCP lease". Here's a better idea. CALL THEM! If they're running Windows, send them a Messenger Service Message before you cut their connection, telling them to call IT or something. Don't just shut them off, it's bad for your department's image and it's a bad policy when dealing with people.

    --
    - Sometimes you're the pidgeon, sometimes you're the statue.
  8. So tired of this joke... by JaredOfEuropa · · Score: 4, Insightful

    You never played the lottery? Let me ask you another question.

    Do you have any kind of insurance?

    But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.

    I know I know, it's just a joke. Well, I just had to get this off my chest.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  9. Re:Simple... by mistermund · · Score: 4, Insightful

    At Carnegie Mellon, unregistered boxes are automatically routed to a web page that allows them to do temporary or permanent registration based based on MAC address. Once you register, your machine can access the network and DHCP. This allows for easy monitoring, notification, and disconnection of zombies.

    It's called AuthBridge and runs on a Linux machine with ethernet bridging and real time packet filtering based on the MAC address. See the link for technical descriptions, diagrams, and further details.

    Seems to work quite seamlessly as an end user, IMHO.