[unisog] Server based scan for student computers

Jens Haeusser jens.haeusser at ubc.ca
Tue May 17 19:34:33 GMT 2005


Both Cisco, Nortel, and other switch vendors have introduced the concept of
private VLANs- VLANs where you cannot send packets to any other member of
the same VLAN, except for the gateway address. Cisco's Private VLAN
implementation is more flexible than most, and you can find a fuller
description at
http://www.cisco.com/en/US/tech/tk389/tk814/tsd_technology_support_protocol_
home.html .

Using Private VLANs on your edge switches, you can place all machines by
default in a registration VLAN that allows no access to any device other
than your registration server/gateway. Once machines have been registered
and deemed secure by your various scanning systems, they can then be moved
into a normal VLAN with full connectivity.

Jens Haeusser
Manager, Information Security Office
University of British Columbia


-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Kent Percival
Sent: May 17, 2005 9:47 AM
To: 'UNIversity Security Operations Group'
Subject: RE: [unisog] Server based scan for student computers

> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of
Paul Seward
   ...cut...
> That sounds very much like what we do on our ResNet.  Currently we're
> using a (very site specific and as such not generally fit for public
> consumption) homebrew system.
>
> The full process goes something like:
> - machine is given a DHCP address on a registration vlan with very limited
> access (they can get to the registration server and windowsupdate but
> that's about it)
    ...cut...

A lot of institutions have similar commercial or homebrew implementations.
One thing I'm
concerned about is the exposure on the registration vlan.   During the peak
registration
period, there may be several users attempting to register at the same time.
During some
period these machines are on the same and can become aware of each other if
the standard
Window's networking is enabled.  Viruses could propagate during this time
and personal
information could be exposed.  We all know a lot of damage can be done in a
very short
time!  How do you deal with this?

....Kent

Kent Percival
Office of the CIO
University of Guelph


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list