[unisog] Server based scan for student computers
jens.haeusser at ubc.ca
Tue May 17 19:34:33 GMT 2005
Both Cisco, Nortel, and other switch vendors have introduced the concept of
private VLANs- VLANs where you cannot send packets to any other member of
the same VLAN, except for the gateway address. Cisco's Private VLAN
implementation is more flexible than most, and you can find a fuller
Using Private VLANs on your edge switches, you can place all machines by
default in a registration VLAN that allows no access to any device other
than your registration server/gateway. Once machines have been registered
and deemed secure by your various scanning systems, they can then be moved
into a normal VLAN with full connectivity.
Manager, Information Security Office
University of British Columbia
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Kent Percival
Sent: May 17, 2005 9:47 AM
To: 'UNIversity Security Operations Group'
Subject: RE: [unisog] Server based scan for student computers
> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of
> That sounds very much like what we do on our ResNet. Currently we're
> using a (very site specific and as such not generally fit for public
> consumption) homebrew system.
> The full process goes something like:
> - machine is given a DHCP address on a registration vlan with very limited
> access (they can get to the registration server and windowsupdate but
> that's about it)
A lot of institutions have similar commercial or homebrew implementations.
One thing I'm
concerned about is the exposure on the registration vlan. During the peak
period, there may be several users attempting to register at the same time.
period these machines are on the same and can become aware of each other if
Window's networking is enabled. Viruses could propagate during this time
information could be exposed. We all know a lot of damage can be done in a
time! How do you deal with this?
Office of the CIO
University of Guelph
unisog mailing list
unisog at lists.sans.org
More information about the unisog