Slashdot Mirror
Handling User Grown Machines on a Large Network?
matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"
Force them to login to an Active Directory domain and hand out updates...
You talk better than you fool!
You can only separate networks so much.
If you make them bear some financial responsibility for not checking their machines first this might help.
just ban users from your network.
At my university, at least for the public machines, when you logon to the domain, a script executes that automatically patches your machine and runs fixblast and fixwelch. you might want to investigate into something like that
If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.
Do some intrusion detection on the network--possibly through Snort. If any machine is spamming out MSBlast messages or Sobig emails, drop their connection via MAC address and refuse to give them another DHCP lease. Then, when the person comes in to complain, let them know their computer was infected and flooding the network, and give them a floppy with the proper security patch on it.
It might be a bit annoying to automate the process (except for handing out floppies) at first, but it seems like it could significantly help, while at the same time educating users to update their patches.
No comment.
...tell students at registration that Windows machines are not allowed on the network, and that they must install Linux. This will not only clean up your network problems, but it will also give the students a sense of doing the right thing for their computers. Along with their free condoms, give 'em free Linux CDs.
Here at my school, for the last week, starting about a day before freshman move in, they have had flyers *everyewhere* telling people not to hook up the network until they install this patch provided by the IT dept. Of course, there are still the bozo's that don't pay heed to the warnings....but there are lots of them in the world anyways.
Ensure that home machines (ones that you haven't configured) get IPs in a VLAN group which you've bandwidth throttled on the routers/switches along the say so the rest of the VLANs don't get choked by home-grown disasters.
Machines you have control over can get IPs in another VLAN which isn't throttled, or at least not as much as your "uncontrollable" VLAN. At the router where the VLANs can meet have strong ACLs and traffic flow control.
Just because you give them access with their own machines doesn't mean you have to give them unrestrained access.
Trolling is a art,
assuming your network is switched, and your switch are "manageables" (ie you can log in them remotely)
you could have an IDS (or similar) with a rule looking for specific attacks (ie blaster). when you detect such an attack, fire off a script that shuts down the user's port on the switch. they'll bitch and moan that they can't access the net but you'll know who they are now and charge them a cleanup fee (make sure to include it in the terms of use)
another solution is to require anyone bringing a computer from home to have it inspected by your techs, block access based on mac address and only give them access once they passed the test. it does require more ressources tho, and ideally you'd still need the first option (in case where someone reinstall windows)
I think this was one of the approaches Stanford was going to take. No DNS for your machine until you get it checked out by their IT department.
Chris
I work as a tech for a major midwestern university. Aside from offering a website with complete instructions, we published packets bundled with CDs that guide the students visually through the process of fixing Blaster and Welchia and installing Norton AntiVirus. With so many pictures in the guide we have yet to have anyone mess it up.
... from another point of view.
I'm a student at a university whose dorm network got nailed by blaster something fierce. Almost as bad as it was Klezed a couple years before. Anyways, because of all of this, the sys admins decided to completely eliminate the dorm network from the upper campus one - also cutting off 'net access - during school hours. This is a real big pain in the butt, and I'm actually hoping there are some great answers in this topic so I can give them to my sys admin.
Of course, compounding the situation are seemingly (dunno if they actually are or not considering I've never even SEEN one before) incompetant dorm techs taking an entire day to clear out just one dorm building of ~50 rooms (2 people per room, but often less than 2 PCs per room...). Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.
I'm just annoyed because my room (along with my entire hall since I'm the resident 'hey, call him!' computer geek and have patched everyone) is completely free of blaster and its ilk, yet I have to deal with the people who either don't know to patch Windows often, or don't care.
How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?
--- Ãther SPOON!
Right. Let's see how many people are patching against those vulnerabilities. That "Linux is invulnerable" attitude is preventing many from even thinking about security holes in Linux. I see a major wake-up call coming...
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
"Along with their free condoms, give 'em free Linux CDs."
"Here. You'll never use this first item if you choose to use the second item. Have fun, and welcome to college."
You are sooooo fired.
- Block POP3 and SMTP access.
- Block trojan ports.
- Provide webmail access. (Even allow them to connect to their own email accounts elsewhere)
Outlook and Outlook Express are the two largest vectors for virii."God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
You ought to be able to tweak your DHCP so you can block machines that are broadcasting this badly by telling them their default gateway is localhost.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Assuming you can identify the port from which the infected traffic is coming, post a list of all infected rooms on the front door of the dorms, with an explanation that "these computers are causing your network to suck."
The problem will be fixed.
Moderate drunk! It's more fun that way!
Seeing as in this situation you wont be able to convince your students to switch:
1) Require all machines to register their mac address via nice gui or website. This way when you use all the rest of the stuff mentioned here (snort, etc) you can easily track the student down.
2) Run snort, router, acls, etc in a way to automatically blocks infected users. Or at the very least it should at least alert you of them. But blocking is best so that they dont spread the infection further on your network or to the internet via your fat pipe.
3) Buy a site license of the managed versions of Norton Antivirus for the dorms and hand one to every student as they walk in the door. Once they've installed it you can force the updates on to them.
... when you go to a university where you do not log on to a domain in dorms.
I've found that to be very common (including the Uni that I'm typing this at) since it is MUCH easier to set freshman up on movein day.
Also, certain things do not work when you start logging onto domains. Example: XP's fast user switching. You'd have students complaining about the administration restricting their rights to their own computer, blah blah blah... then on top of it, automatically patching something. Legal nightmare. Works great for lab PCs, horrid for dorm PCs.
--- Ãther SPOON!
I hadn't thought of this implication. Unfortunately, it's not feasible to force the users to do anything in this kind of situation - that would be an administrator's nightmare.
I'm assuming you have each computer connected to a central switch, right? What I would do is block all communication between the PCs on the network. Allow each one to get out to the internet through the firewall, but block them from connecting to each other. That would give them the ability to browse the web, check email, instant message, etc., without needing to worry about them setting up servers, file sharing, and trading viruses, etc., between each other. It's heavy handed, but at least you're still providing the service you're supposed to (internet connectivity).
Just a thought. I'm not completely sure this is even feasible with a switch, but I would think so.
"I have never let my schooling interfere with my education." - Mark Twain
Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.
unfortunately not -- updating random systems is harder that it seems. When we got hit at our university i helped out cleaning a bunch of systems and I couldn't believe how long it took -- Win2k installs had to have Service Pack 4 installed before you could apply the security patch for the worm, other dependancies changed because of that, had to install and update the university verson of norton antivirus, which refused to install on many systems unless I started them in safe mode, etc. All in all, the half-dozen systems i cleaned up took several hours because of all the rebooting and screwing around that was necessary before the patch could even be applied.
The XP and 98 systems were a piece of cake, though.
Recursive: Adj. See Recursive.
We have an incident response team that locates each individual infected host, then identifies the primary user of that machine. If they're unavailable, we install the patch and leave a message that they should come by our offices as soon as possible.
Once the patch has been applied, we sit down with the user and assure them that they're not in trouble; everyone makes a mistake from time to time, and we have simple and effective means of dealing with the problem. Once they're calmed down and convinced that we're not upset with them, we wish them a good day and send them on their way.
When they turn their backs, we shoot them in the back of the head and put their bodies on display in the courtyard as an example to the rest of the imbiciles that might practice unsafe computing.
-- Minds are like parachutes... they work best when open.
First they came for the menial jobs. I never spoke out because I didn't have a menial job.
Somebody has obviously made a serious mistake then. Can I suggest you apply at the sign of the Golden Arches to find something more commensurate with your intellectual abilities?
When the blaster worm hit, we had to work for a few days to clear the thing from the staff network.
Now that we well and truly cleared it after much scanning to make sure, we've moved on to the on-campus student's network.
We have to physically go to each room, patch and scan to remove both blaster and welchier.
It's both an annoyance for us and the students who pretty much treat us like unwanted guests on their pcs.
Be you Admins? nay, we are but lusers!
This is actually a very good idea. You block offenders in the switch. My school has done the same during this blaster episode, and I believe it has worked very well. Of course it helped that blaster came active before the start of the autumn term, because not all students had come here after the summer.
And of course, block the right incoming traffic in the border routers.
For years, the last thing the admins at my university wanted to do was inspect each computer before it was permitted to be on the network. This year they have broken down and are doing so, to be connected (wired or wirelessly) one of their employees must inspect the computer and make sure that they are not only completely patched, but also that they are running antiviral software (Norton ONLY).
This is of course great in theory, until a week later when someone formats, 'forgets' to patch, brings their computer home, gets re-infected and comes back to school.
Until patches become mandatory for many of these users, there is no way to prevent such a thing... short of finding the virus writers and skinning them alive during prime time, that might make some of these script kiddies think twice before doing what they do.
Help Brendan pay off his student loans
This is so ridiculous that I'm still thinking you're joking. Either that or you haven't been in education for a long time.
I'm a CS student. We often have the choice of buying an outdated EUR 6 hardcopy of a lecture script (without TOC or index), printing some 200 pages (on a printer quota that's sufficient for 150) or viewing the constantly updated script on-screen with search functionality. This holds true for at least four courses per semester. Without PCs, we'd be royally screwed.
In most appartment buildings for students, the network is provided by the university over a 2MBit line with at least 10% packet loss, high lag and a 650MiB/month quota (traffic inside the uni network isn't counted). Bozos who don't get the rules get blocked at the inhouse switch.
If they'd try to ban PCs they'd get only one thing: open revolt. I mean the stuff with burning administration buildings. Literally. Plus it'd be mostly unenforceable in countries with things like individual freedom. Oh, there's also the need to at least quadruple the number of terminals across the campus.
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
I am seriously considering moving my smaller clients to Mac of Linux pretty soon
Hmm... sounds interesting, got a torrent ?
getSexySig();
50 computers over 8 hours = 9.6 minutes per computer, average. This time includes knocking on doors, explanations, going back to get rooms which were closed for some reason, booting up computers and rebooting them, loading the patches on to the machine and installing them, and all the regular crap that goes with handling 50 different computers with 50 different setups. Honestly I would say that 10 minutes per computer is simply amazing. These guys must be supermen to get a whole dorm patched in a day, unless they come in with an army of a dozen techs.
What can a student do? Preach alternative systems. Wean people off of Microsoft Windows entirely. I run 2 labs of a dozen Macintosh machines running Mac OS X and I haven't had to lift a finger to do much of anything for more than a year. The machines run perfectly and just laughed at all of the viruses, worms, trojan horses, and other problems that Windows computers have had to deal with. The same, I'm sure, is true of BSD and Linux based operating systems.
Take a look at the history of the Irish potato famine. The main cause of this horrible piece of history was a simple fungus. It spread so suddenly and completely because to grow potatoes quickly you can simply cut up one potato and plant the pieces. Each new plant is a genetic clone of the original potato. Thus when a disease hits one plant it quickly spreads and hits them all, turning a simple disease into an epidemic. The same is true of computers. A monoculture of Windows machines are much more vulnerable to the spread of computer infections than a mix of operating systems. Having one operating system dominate over 90% of the market is simply not healthy.
Sapere aude!
In our residence halls, we have about 7500 people. What we have done is make a series of VLANs, centrally administered by VMPS. We have the regular VLAN for a building's users, a quarantine VLAN, and a blackhole VLAN. As we detect users that are infected, we move them to the quarantine VLAN where we have colocated a quarantine webserver via an 802.1q trunk. This server provides them with all the patches, av software and latest DATs. Once installed, the resident "signs" with their campus ID to verify that they have installed the various fixes, and they are moved back. If someone languishes in the quarantine VLAN for too long, we move them to the blackhole VLAN (which is essentially a defined VLAN that isn't trunked anywhere so VMPS can still legally place them there).
This segmentation has helped dramatically. At one point, we were blocking nearly 800,000 icmp echo requests outbound/sec across all interfaces. Now? around 1k/sec. And that's over the last week.
Now if I could just get past the residents who:
1. Don't fix themselves because it was too much to read.
2. Don't know how to use a web browser
3. Don't know what a scroll bar is (!!!)
4. Don't contact us for help, but instead go to the President and Provost's offices.
Hang in there, segmentation helps dramatically.
In the defense of the "incompetent dorm techs" they probably had to deal with:
- students who weren't in their rooms
- students who figured someone else touching *their* machine was an invasion or their privacy (especially the 50 gig of mp3's)
- students who were in their rooms and didn't want to be disturbed
- the 133t hAx0rZ who thought it was uB3R k3W1 to archive their old (infected) systems and reset the machine as soon as the techs had left.
Having been the "oh call her" person for a(n administrative) department at a university I know what students can get up to.
Set up a dhcp/iptables/ LINUX firewall . I run a script that monitors the net for a rush of packets (ICMP/port 135/smurf attack) it works great! heres the algorithm in pseudocode - any net admin should be able to put it together. You basically monitor 1000 packets and count the number packets per host and find the packet count per time then dump if they are pushing 90% or more packets while (true) do t0 = timeinseconds packetlist = tcpdump -n -i -c1000 t1 = timeinseconds iplist = grep list|print ipfield| uniq -c totalscanseconds = t1-t0 totalpackets = count(packetlist) if totalpackets greater than 99% iptables -t -nat -A PREROUTING -s offendingip -d 0/0 --dport 80 -j DNAT --todestination and viola! all users flooding the net are automatically forwarded to a you are quarantine website no matter what. All packets are dumped before they go any further. I can handle easily 500 - 700 connections with a dual AMD 1800 cpu / 500meg ram dual nics setup as a dhcp server
Naturally, if you're the BOFH type of network admin you can skip the first part
Basically what we've done is burn a shitload of CD's with the Blaster patch on them, given them out to people with the worm and then encouraged them to distribute the CD's to their friends. We've also given those CD's to our local residential hall tech support people (the ones who actually go to the person's room and fix whatever problem; they are assigned by dorm).
:)
Recently, we've begun deactivated the ports of people who we've been able to trace the worm back to, having them call us, pick up the CD, install the patch and then having an RCC verify that the patch is installed before reactivating their ports. We've also closed off the ports that the worm is known to propagate through. We've still taken damage as a result of it, but I think we've managed to minimize it somewhat. In the meantime, I've been trying to convince the Mac users I support that they're not at risk. If you say, "impossible" enough times in a row, they start believing you.
The guy I share a bathroom with at NAU got the blaster worm before coming here, then called on me, the resident geek to fix it. It took roughly five hours to talk him through using a virus scanner, and then talking him through the fix. I finally gave up and refered him to the IT people.
/.'rs get on the "install Linux on everyones box" rant, I'm going to highlight the main problem, the end users ignorance about computers. The average college student thinks of his/her computer as an applience. And thinks that Windows update as that pesky taskbar icon that keeps on screaming at them.
I know for Lovsan our school links you, before network registration, to a page with the fix. Then if you get infected they kill your access. Then send up a tech. Sad thing is the average user can't even figure out how to get to the patch even with a page linking to it.
Now before all the
Also in a small office network administrating 20-100 people is an easy task, or EASIER, than handeling 5,000 students with no computer skills. In an office network you can set up the computers to use whatever software you want, like not allowing Outlook on work machines, or whatnot, but in a college network you have 5,000+ different configurations.
As for solutions, I have no clue, though. I guess the only way is to just blcok access of the infected, which kinda sucks since it HAS to be after the fact. Perhaps you could force people joining the netword to take a small online class, download your supported virus-scanner, and whatever fixes exist before registering their machine. Then as new threats come out, make new required online lessons needed to keep network access.
A patriot must always be ready to defend his country against his government. -edward abbey
MAC address filtering would bring out at least one privacy advocate complaining about rights, and absolute Nazi like controls won't fly at a public institution.
Everybody seems to be advocating the staff doing stuff, do they have the resources to handle every little issue a student comes up with?
VLANs with heavily controlled QoS would help. I also like a script forcing certain patches.
Could the school get a license from an AntiViri company to cover all students, force everybody to run it as policy, script the updates, IDS to ban infractions by switch port or something with would f%$k the student because it might take a week to get around to turning the port back on.
Kevin
Irrational Diversions
running Mac OS X and I haven't had to lift a finger to do much of anything for more than a year
That's what I call a boring life. Compare this to the action packed life of a Windows(tm) Admin. I can imagine the next Microsoft tagline:
Windows: Bringing Unlimited Action to bored System Admins, since 1981.
getSexySig();
I know it's a pain to lose ping functionality, but in the case of Nachia, the fastest way to stop it is to put a filter on your switch. If you use Cisco 65xx's with the Policy Feature Card, you can run the following commands:
set security acl ip WORM deny icmp any any echo
set security acl ip WORM permit ip any any
commit security acl WORM
set security acl map WORM 1 (or whatever VLANs you have)
If you have some other product for LAN switches, shame on you! Well, there probably is a similar filtering capability if you have the right components.
I've been involved in cleaning up after SQLslammer and Nachia on a rather large network. In both cases, I found that router filters were difficult to implement without causing the filters to kill the routers (except on a few very new high-end routers). The PFC claims to work at wire speed. In practice, I've had a hard time proving them wrong on that.
This filtering technique will allow you to drop packets as soon as they enter the switch. Basically your doing a L3 or even a L4/L5 filter (tcp/udp with port) on a device that is really operating at L2.
A couple things to note, you can't log the packets and once you put the filter in place you probably won't be able to determine who is sending junk, but you shouldn't be patching machines for a worm by going after the infected ones... every machine in the network needs patched before you lift filters regardless of whether the worm is still in your network or not. If not, it will be back!
My college, in response to Blaster, Nachi, etc., recently told students to download a copy of Vexira Anti-virus, for which we have a site license. One of my non-CS friends (yes, /. geeks can have non-CS friends) did just that and, since she (yes, a female, at that) had little computing experience, deleted every infected file. I'm only a UNIX admin with very little Windoze experience, so I'm not sure if deleting the infected files had something to with it, but XP Home refused to go past the login screen. She has been going through something of a family crisis, so I was up until about 1 in the morning getting her machine back into working order without losing any data. I succeeded, but it was still pretty stressful. She didn't really care about having a clean computer; she just wanted a working computer.
In short, just telling students to download and run a program they don't understand to clean up their computers isn't going to work. At best, no one's going to do it, and at worst, it's going to f*ck people's computers up, creating more of a support mess.
Phone and leave a message with instructions how to get help, and provide how-to-fix-it guides at their hall's front desk. Give them a chance to fix it if you can, and tell them the timeline ("You have 24 hours before we will have to take you offline. Here's how you fix it:"). If you have to disconnect their port immediately, then you must contact and guide them to help.
Internet access is necessary today (preaching to the choir here!), and you should never disconnect someone and then wait for them to wander into your office to help them. Anyone who reads /. understands that.
What do you think happens when *each* and everyone of them goes on KaZaA because they can't share anything? Not to mention how they'll whine about how they can't cooperate because no one can access the others' files (short of sending project documents back and forth via email or something).
I don't think that thought it so well thought out....
Kjella
Live today, because you never know what tomorrow brings
In that configuration, they can surf the Internet freely, and can download anything they want, but can't mess up anyone else.
That's the default configuration. Students who want more have to go through the exercise of securing their machines, after which both the student and the machine get tested. Then they get more access.
You never played the lottery? Let me ask you another question.
Do you have any kind of insurance?
But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.
I know I know, it's just a joke. Well, I just had to get this off my chest.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I'm a student PC/Net tech at a small college (1500 students, 400 staff/admin/faculty). We use an AD domain to corral our users, so to speak.
We did some testing with the Blaster patch before we encouraged our users to download it; I always check Bugtraq, personally, before I put anything on a machine I'm responsible for. Once we decided it wasn't breaking anything (at least it didn't break anything for us) we burned it to a whole bunch of CDs (with the Symantec removal tool, the Win2k patch, the WinXP patch, and the WinNT fix). Each RA/helpkid/tech also got a corporate edition of NortonAV on a disk (we have a site license) with instructions for students on how to update their virus definitions.
Each RA got this disk. Each help desk kid (there are about 15 student help desk kids) got one, and the other five PC/net techs (other than me) got one. We marched around campus for about a week wearing very visible "TECHNOLOGY SOLUTIONS CENTER" T-shirts and essentially infiltrated dorm life with our antivirus software.
Were there huge network slowdowns? Oh yeah. For the first day and a half when students came back there was little, if any, network connectivity. But the RAs were adamant about having the kids run the patches and install NAV. Did we use guerilla tactics, like disabling network ports or confiscating network cable? No, not at all. We just made help extremely visible, and with a horde of student tech workers getting $5/hr, it was not so bad for cheap labor for the college, either.
You might bitch and moan and say that a college kid with a virus will never go talk to his RA, but we had mandatory floor meetings for every floor for every hall across campus, and when you've got 20 kids and one RA, it's pretty easy to reach the end users. Users only understand that "my computer doesnt work", and you can bet that a college kid at a small, tech-oriented campus will go see his RA if he knows his RA can help him. (If the kids think the RAs are totally bogus, then there's problems with administration that have nothing to do with computing and is for another thread entirely.)
Do these tactics make Mac/Linux users feel discriminated against? I saw some whining in the comments about this, but guess what: Even if an RA is minimally intelligent in the realm of computing, he can PROBABLY tell a Mac from a PC. Mac users get left alone (like me.)
Full network connectivity returned at about 9 in the morning on the day after move-in. (you'd be surprised how fast 30 RAs and 21 tech kids can move.)
You might also bitch and moan and say that students shouldn't have L2 domain admins. Okay, I can understand that. One kid got forcibly removed from our staff last year for leeching software off a drive he had permissions to, so no, it's not a completely perfect solution, and a lot of trust is involved. But it worked okay for us and minimized a lot of headaches.
Angry IT woman in big clompy boots. And talking lint!.
Not really an option. And an incorrectly managed linux machine on an academic network can be almost as big threat to the outer world as windows. I am speaking out of experience as I have dealt with OC3+ floods coming from zombies in student dorms long before people started to apply "voodoo" to windows machines. It was linux, bsd, solaris and other unix systems in those (pre BO) times. Quite oftent it still is.
Still, you can very easily deal with it.
1. Move dorms to private addresses so that you do not have an address space constraint as the next step will eat addresses like there is no tomorrow.
2. Subnet the network into a small salad and put each slice of the salad into a separate VLAN.
3. 802.1q the vlans up to a linux box, bsd box or a cisco that has enough grunt to filter (72xx VXR or similar comes to mind, bigger ones have a hard time filtering, smaller ones cannot handle the bandwidth).
4. Filter on all 802.1q interfaces on the linux/bsd/cisco.
As a result you contain any clap to a small subnet.
Note that everybody will hate you initially. People definitely did hate me 8+ years ago as this was one of the things I did to deal with a similar problem (one dept in the building I managed was being hacked left right and center).
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
This gives us the following benefits:
1. Only machines we want to have on our network are there. This usually means that we give out IP addresses in exchange for the basics - a MAC address and the location of the machine. Higher levels of management of clients has its costs, so that'll be down to the individual manager to decide (for instance - only machines running OS xyz, or only machines we have root/admin access to, only machines built with our spec/OS and connected to our auto patching architecture, etc).
This means that we can, in extreme cases, remove someone from the DHCP lists, and flag their MAC up in arpwatch. In the case of "students arriving at the start of term", there is quite a flood of applications at the start of term - combined with teaching them how to find their mac address (solved with a flier in their matriculation pack). After that, it slows to a trickle of applications.
2.With managed switches (and really, who DOESN'T use managed switches in large networks?) troublemakers can be sought and disconnected in times of strife. You have their IP address AND know which switch/port they're on (through the MAC/location registration process). It really is up to the user to come to the IT staff in the event that their connection drops. We have disabled specific ports on network switches in some cases, which is a far more useful solution than removing DHCP entries, but for public areas the DHCP block is what is needed (laptops in libraries for instance). Smart users will get around this, but it's not the smart users you're worried about. They know how to patch.
When it comes down to it, make one simple rule - network access is a priveledge, not a right. Our entire university wide IT infrastructure is built on this philosophy, and as a result the onus is on your users to behave in a responsible way.
--
Why can't we all just get along?
at my University, they've started to do that. If your machine is spitting out garbage they kill your connection and call (e-mail) whoever is responsible for maintaing the system and notify them that they need to get the problem fixed before their IP will become active again.
We havn't done it in our lab (there are multiple on campus) yet as there's no impending doom if we don't, but we're looking to secure our work area with a router that blocks all ports and then use 192.168.0.* IPs behind it. Which allows us to fresh install Windows or whatever and not have to worry about getting infected before we can get them up to date.
It'd be trivial for a University to setup such an area and if a user is trouble, kill their connection and call them and tell them to bring down their system to the secured lab to be patched and fixed.
My home network which has every flavor of Windows running was completely unaffected by the Blaster worm simply because I run a router intelligently.
It's really not that hard to not get infected.
Ben
Work Safe Porn
These girls need help with their computers.
At our college, your machine is taken off the network (by disabling the port on the switch your machine is on) untill you install the patches and de-infect you machine. That means, you have no access to the internet, untill you call the helpdesk, and they will turn you back on so you can download the patch etc. Of course, you get locked out again if you don't. :) It works very well, cause when people get cut off the internet, they normally want to get back on it, so they will fix their PC very soon ...
I just saw a presentation on a campus-wide wireless network.
Because you cannot control who uses the wireless zone, it's treated as potentially hostile or untrusted and users must authenticate to a VPN.
A nice side-effect of this is that the VPN in Windows routes all traffic via the VPN, letting them apply all sorts of policies "port 4444, I don't think so...". Blaster only affected users silly enough to bring in an infected machine.
Perhaps a similar setup for the untrusted wired network too?
"Everything is adjustable, provided you have the right tools"
If your network hasn't been infected yet you can be more proactive by scanning for vulnerable Windows machines instead of for Blaster traffic. Use Nessus or Eeye's free RPC scanner. Then ban any vulnerable machines. This should be done in addition to and not instead of scanning for Blaster because the "good" Blaster will download and install the RPC patch.
My solution is not very large scale (only 240 ports), but works quite well. A 486 machine on top of every switch running tcpdump filtered through a perl script that uses snmp to shut down the offending port as soon as any 'suspicious' traffic starts to flow from it. The 486's are setup to netboot with the loader on CD (or floppies for the few machines that don't support CD boot), and all share the same NFS server, making managment a snap.
Of course this only works if you have managed switches/hubs, a bunch of spare 486's (pentiums would be better) and a day or so to set it up. The nice thing is that if the 486 fails (only one has so far), the network stays up.
This has stopped 99% of malicious traffic dead in it's tracks.
You have made the classic techo mistake - you have assumed that the problem is technical in nature and requires a technical fix.
The problem is actually and administrative (read people) issue, and should be addressed as such.
Build a register of MAC addresses to students, and filter all access from student computers based on (that not permitted is denied).
Then establish a policy whereby students are informed that access to the campus network is a privilege and not a right. Require an 'administration deposit' to cover cleanups in case of viruses/etc - but refund it when they take their equipment and leave.Furthermore, inform them that should work be required by campus staff to fixup outbreaks they may be held liable for costs incurred in cleaning up (you can identify them by the source MAC address) and that their equipment may be confiscated if deemed warranted. Publish policies and guidelines showing best practice (ie patch/update your computer regularly.
You have just created an environment where best practice is required. You have also created a marketplace for people (other students) to assist the less skilled to maintain their systems, and hopefully explain the 'hard' way to everyone that a good security posture is founded on practices and not technology.
IT people make the mistake that the lights and wires are where the job is - rather than the actual objective.
It's amazing how many students seem to have wiring problems after they crash the local nets on certain campuses. I just wish the same approach could be applied to home users.
Many of the worms and viruses that bog the net have had patches for months or even years. I say if the patch was out three months ago, cut the user off at their ISP -- permanently.
You can't drive without a license -- if you can't update, you don't know how to "drive" the internet. And no, I really don't care about the "rights" of the brain-dead to access public resources.
Even my techno-illiterate parents know enough to keep the virus files and patches up to date -- because they were taught before the machine was ever plugged in to the 'net.
I do not fail; I succeed at finding out what does not work.
I work for tech support for a large (30,000+ students) university. This fall we're expecting as many of 30 percent of the machines coming to residence to be infected with a worm.
To defend against this we're going scan all machines over the network during the registration process and if the machine is vulnerable the browser will get redirected to a webpage with the relevant patches which the client must apply or they won't be able to connect to anything but our internal authentication vlan.
One of the reasons our networks get hammered during any worm incident is that there are so many machines connected to the network that just aren't patched ever.. Eventually we just have to manually shut down the ports infected machines are connected to and wait till clients call to complain to explain why they've been disconnected.