[unisog] Server based scan for student computers

Oscar Knight knightod at appstate.edu
Tue May 17 18:06:28 GMT 2005


> Kent Percival wrote:
> A lot of institutions have similar commercial or homebrew
> implementations.  One thing I'm concerned about is the exposure on the
> registration vlan.  During the peak registration period, there may be
> several users attempting to register at the same time.  During some
> period these machines are on the same and can become aware of each
> other if the standard Window's networking is enabled.  Viruses could
> propagate during this time and personal information could be exposed.
> We all know a lot of damage can be done in a very short time!  How do
> you deal with this?

Hello All,

At least one commercial application uses (or did in the past) 30 bit
networks.  You would need a large address space.  If you needed some
external access, ie windows update then I think you would do NAT.

Example:  (please note, I'm not a router person this may all be incorrect)

   Address Space:  10.100.16.0/20

   Using 30 bit networks the above space is carved up into 1024 networks
   looking like:

     10.100.16.0     broadcast
     10.100.16.1     workstation
     10.100.16.2     router
     10.100.16.3     network mask

     10.100.16.4     broadcast
     10.100.16.5     workstation
     10.100.16.6     router
     10.100.16.7     network mask

     ...

     10.100.31.252    broadcast
     10.100.31.253    workstation
     10.100.31.254    router
     10.100.31.255    network mask

The above means you have a LOT of secondary addresses, 1024 on the router
interface.  I don't think the DHCP config would be pretty.  Lots of other
details...

I think you would only want to do this for your registration/remediation
vlan.  The idea is that malware will typically use the IP stack and for
the most part each machine will not "see" the others IF the router blocks
the traffic.

You can probably tell from my comments that we have not and do not use 30
bit networks.  If anyone out there uses 30 bit networks, either commercial
or homebrew then I would be very interested in hearing about your
experiences.


odk
--
Oscar D. Knight
Appalachian State University, Boone, NC






More information about the unisog mailing list