Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling User Grown Machines on a Large Network?

Posted by Cliff on from the where-infections-run-rampant dept.

matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"

7 of 611 comments (clear)

  1. Ban 'em by larien · · Score: 5, Insightful

    If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.

  2. Re:forcefully by bob670 · · Score: 5, Insightful
    Then who supports them when the latest Windows update hoses thier machine? It happens less than it used to, but I have one client who lets auto updates run, and one patch in paticular (810577) has brought network browsing to a crawl. We have done literally hundreds of test and narrowed it down to this patch, but neith the knowledge base, user community nor a direct (and expensive call) to MS support can fix his issue. Now he has users screaming about slow network browses to files and folders, time outs hitting their home-brewed data base and his phone never stops ringing. Now mulitply that by the body of a college campus?

    You'll need something more reliable than Windows if your plan is to mandate that sort of thing.

  3. Re:responsibility by gykh · · Score: 5, Insightful
    If you make them bear some financial responsibility for not checking their machines first this might help.
    Are you sure about that? What are you going to fine for? Not having a secure enough computer? Everyone (i.e. /.) knows security holes appear every week, major ones every 4 months or so. Do you fine someone who just reinstalled windows and was just logging on to download patches and got hit? For getting a virus? How about we tax stupidity next?

    Students go to university to learn and give back some knowledge, not to constantly maintain their tools.
  4. Re:forcefully by Samari711 · · Score: 4, Insightful

    what about the seniors who are still running 98. then you also end up slowing down student machines and you get a bunch of unhappy students. micromanaging a few thousand computers who's specs are all over the board will cause more headaches than it solves

    --

    I never said I was smart, I just said I was smarter than you

  5. Re:Possible solution by themassiah · · Score: 5, Insightful

    I was with you until this part: "drop their connection via MAC address and refuse to give them another DHCP lease". Here's a better idea. CALL THEM! If they're running Windows, send them a Messenger Service Message before you cut their connection, telling them to call IT or something. Don't just shut them off, it's bad for your department's image and it's a bad policy when dealing with people.

    --
    - Sometimes you're the pidgeon, sometimes you're the statue.
  6. So tired of this joke... by JaredOfEuropa · · Score: 4, Insightful

    You never played the lottery? Let me ask you another question.

    Do you have any kind of insurance?

    But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.

    I know I know, it's just a joke. Well, I just had to get this off my chest.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  7. Re:Simple... by mistermund · · Score: 4, Insightful

    At Carnegie Mellon, unregistered boxes are automatically routed to a web page that allows them to do temporary or permanent registration based based on MAC address. Once you register, your machine can access the network and DHCP. This allows for easy monitoring, notification, and disconnection of zombies.

    It's called AuthBridge and runs on a Linux machine with ethernet bridging and real time packet filtering based on the MAC address. See the link for technical descriptions, diagrams, and further details.

    Seems to work quite seamlessly as an end user, IMHO.