[unisog] Server based scan for student computers

Alex Tirdil AJTIRDIL at salisbury.edu
Mon May 16 15:37:03 GMT 2005

They are not just nessus based now.  With the version 2.2 of Campus
Manager and their ActiveX based CAT tool, the campus manager can do a
lot more than nessus can.  One of the features of the CAT tool is to
enable ICMP pings on windows xp SP2 machines so that you can run your
nessus scans more effectively.  We currently have that feature enabled
and it has worked very well.  The CAT tools can be considered an agent,
it sits on the machine all the time however it is not activated unless
you kick the student into your "remediation" VLAN and do some scans, at
which case its "turned on".

-alex t

>>> BachandD at easternct.edu 05/16 9:27 AM >>>

We've been using Bradford's product, and are moving to Perfigo as part
of a system-wide directive from above.  I'd like to add my 2 cents...

Nessus IS a good tool.  However, we're seeing more and more computers
these days with firewalls running.  Either Windows Xp SP2, or even the
latest anti-virus packages often have them running.   Nessus can't
them, and a firewall in no way makes for a secure station.  I've never
checked the percentage of the student population with firewalls, but
is certainly growing, so anything Nessus based is going to have short
legs and is going to miss a lot of computers with issues.

If I were going to look for a new solution, I'd be looking for the

Preferably 802.1X based, so the authentication can be off-loaded to
edge switches.
Definitely requiring some sort of a client agent, as that's probably
only long-term solution.

In terms of what's out there-

Bradford's product does do VLAN switching, which is good.  But is
based.  Although we do have the product coupled with an IDS, which
do a good job of detecting ad shutting down the worst of the rogues.

Netreg is also Nessus based, doesn't do any switching, and unless you
have some good scripting set up, can be thwarted.

Perfigo is in-line, in my opinion primitive, and owned by my least
favorite company, but does have an agent at least.

Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376

-----Original Message-----
From: unisog-bounces at lists.sans.org 
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Andy Druda
Sent: Sunday, May 15, 2005 6:10 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Server based scan for student computers

We want to go further than netreg in the quarantine department.  We
don't want students on the same VLAN until they are safe so we will
manipulate the switches (as we currently do by hand).  We have most of
that part already figured out but want to decide what to scan with. 
are considering nessus.  VERY good to see some of you are using it for
the scanning.

scott hollatz wrote:
>>>Can some of you who do this tell me what your using?
>>NetReg is one of the more popular open-source ways of going about
> We've been using a modified NetReg to quarantine systems not passing

> Nessus scan (of several vulnerabilites, not all Nessus knows of).
> This has been working fine in the reshalls and we've been slowly 
> deploying across campus.
> A Nessus hook is also in our wireless authentication gateway (also 
> used for public etherjacks) but is not yet in production (has been 
> ready for a few years, but no cycles available for rollout...).


Andy Druda
Director of Campus Technology
Wagner College
Staten Island, New York 10301
718 390 3204
unisog mailing list
unisog at lists.sans.org 

unisog mailing list
unisog at lists.sans.org 

More information about the unisog mailing list