[unisog] Server based scan for student computers

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Thu May 19 14:05:33 GMT 2005

We have a similar environment here as regards registration VLANs.
Nothing of course is 100%, but we've found the issue of cross
propagation of viruses to be relatively minor in the protected VLANs.
We do the following:

The registration VLANs have no access to the Internet.  Therefore any
resident Trojans cannot access their chat site for instructions, and are
often fairly dormant.

We have ACLs in effect that prohibit users from communicating with other
than registration type services.  A computer that is on the same feed
port (building or in some cases floor) can broadcast to others within
the building, but not to other ports (locations).  

And as Mike says, firewalls are pretty common these days.   

Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Mike Wiseman
Sent: Thursday, May 19, 2005 9:35 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Server based scan for student computers

> A lot of institutions have similar commercial or homebrew
implementations.   One thing 
> I'm
> concerned about is the exposure on the registration vlan.   During the
peak registration
> period, there may be several users attempting to register at the same 
> time.  During some period these machines are on the same and can 
> become aware of each other if the standard Window's networking is 
> enabled.  Viruses could propagate during this time and personal 
> information could be exposed.  We all know a lot of damage can be done
in a very short time!  How do you deal with this?

I used to worry about this - our modified Netreg system is configured to
use a large subnet for the isolation zone. But nowadays, Windows
Firewall in XP SP 2 would protect machines from all the old network
exploits such as LSASS and RPC. Also, our campus network is not exactly
a clean zone, yet :-), so putting a lot of effort in making the
isolation zone clean from exploit propagation doesn't seem worth it. In
my mind, if a user attaches to our network with a computer that has not
been properly managed, then it's probably already compromised. If it has
been managed properly, up to date on patches, AV, firewall, clean of
spyware, etc. then that machine doesn't need the protection of  the
isolation zone. The compromised machine still benefits from the
isolation zone connection because it is forced into vulnerability


More information about the unisog mailing list