[unisog] Server based scan for student computers

Ramon Kagan rkagan at yorku.ca
Tue May 17 17:04:16 GMT 2005


HI,

The way we deal with that particular issue is:

1.  Setting the netmask on the registration vlan to 255.255.255.255 and
the gateway to the registration server (and scanning server) itself.
Note: This is only done for MSFT desktops.  v3 of dhcp allows the
following config:

class "microsoft" {
  match if (substring(option vendor-class-identifier, 0, 4) = "MSFT");
  option subnet-mask 255.255.255.255;
}

i.e. Windows DHCP requests have MSFT in the headers

2.  Making available a CD for download within the labs containing all MSFT
updates, antivirus software and updates, etc.

Overall with a netmask of 255.255.255.255 the only computer they can talk
to is the registration server limiting attacks on the auth-vlan.

Ramon Kagan
York University, Computing and Network Services
Information Security  -  Senior Information Security Analyst
(416)736-2100 #20263
rkagan at yorku.ca

-----------------------------------   ------------------------------------
I have not failed.  I have just	       I don't know the secret to success,
found 10,000 ways that don't work.     but the secret to failure is
				       trying to please everybody.
	- Thomas Edison				- Bill Cosby
-----------------------------------   ------------------------------------

On Tue, 17 May 2005, Kent Percival wrote:

> > -----Original Message-----
> > From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of
> Paul Seward
>    ...cut...
> > That sounds very much like what we do on our ResNet.  Currently we're
> > using a (very site specific and as such not generally fit for public
> > consumption) homebrew system.
> >
> > The full process goes something like:
> > - machine is given a DHCP address on a registration vlan with very limited
> > access (they can get to the registration server and windowsupdate but
> > that's about it)
>     ...cut...
>
> A lot of institutions have similar commercial or homebrew implementations.   One thing I'm
> concerned about is the exposure on the registration vlan.   During the peak registration
> period, there may be several users attempting to register at the same time.  During some
> period these machines are on the same and can become aware of each other if the standard
> Window's networking is enabled.  Viruses could propagate during this time and personal
> information could be exposed.  We all know a lot of damage can be done in a very short
> time!  How do you deal with this?
>
> ....Kent
>
> Kent Percival
> Office of the CIO
> University of Guelph
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
>


More information about the unisog mailing list