[unisog] Server based scan for student computers

Kent Percival percival at uoguelph.ca
Tue May 17 20:29:45 GMT 2005


Ultimately a hardware solution like private VLANs is the only thing that works.  Using 21
bit mask in the IP network layer only catches IP traffic.   Viruses propagate very quickly
between some systems using NetBIOS and other protocols that are not IP based and which
treat the whole VLAN as one happy family!

....Kent


> -----Original Message-----
> From: Jens Haeusser [mailto:jens.haeusser at ubc.ca]
>
> Both Cisco, Nortel, and other switch vendors have introduced the concept of
> private VLANs- VLANs where you cannot send packets to any other member of
> the same VLAN, except for the gateway address. Cisco's Private VLAN
> implementation is more flexible than most, and you can find a fuller
> description at
> http://www.cisco.com/en/US/tech/tk389/tk814/tsd_technology_support_protocol_
> home.html .
>
> Using Private VLANs on your edge switches, you can place all machines by
> default in a registration VLAN that allows no access to any device other
> than your registration server/gateway. Once machines have been registered
> and deemed secure by your various scanning systems, they can then be moved
> into a normal VLAN with full connectivity.
>
> Jens Haeusser
> Manager, Information Security Office
> University of British Columbia




More information about the unisog mailing list