[unisog] Cisco 2950 protected ports in residential halls

Stasiniewicz, Adam stasinia at msoe.edu
Tue Nov 22 05:10:30 GMT 2005


We at one point did something similar to this.  Basically we have a
large problem with viruses the spread via SMB.  So we started to block
ports 137-139+445 at the switch level.  This did wonders at stopping
these viruses, but because of the uproar from users (and a couple other
issues) we decided to set the switches to only log when traffic on these
ports was detected.  The biggest (legitimate) complaint from residents
was that they like to move files among the multiple computers in their
dorm room.  So they might have a desktop that they store "school files"
on, that they would like to be able to access from a laptop across
campus.  So we decided to only log these events.  Now when there is any
above average load on the switches, the helpdesk staff will dump the
logs from the switches, look for the person that is running the NetBIOS
port scanner, and go bang on their door.

Some other things we have done in this area:
1.  We make it standard policy that when an employee visits someone's
room and either the person is not there, or they are not very
cooperative to fix their computer immediately, we turn off their
Ethernet port.  BTW: cooperative means that before the employee leaves
the room, the problem is fixed.

Granted this is not the friendliest of solutions, but we find the 5% of
students end up complaining, but 50% of the students thank us for taking
an active stance in correcting the problem.

2.  We have a mandatory laptop program at MSOE.  Basically all full-time
students are given a new laptop every 2 years as part of the full-time
tuition.  Because of this, we can control what software is installed on
the laptops when they are issued.  Since the start of last year, all
laptops have had 2 major setting turned on.  First the XP firewall was
turned on, and second we set (via GPO) that automatic updates be turned
on and install automatically.  This has also helped drastically.

Understandably, most universities don't have mandatory laptop programs,
but there are a few things most universities can apply.  For any
"university owned" computer, be it a lab machine or office computer,
turn on the firewall and make automatic updates enabled.  And for the
students, you can specify in their login script that they must use
Automatic Updates.  

If anyone is not sure how to setup a login script to do this, please let
me know and I will provide a quick guide.

Hope the helps,
Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Royston Boot
Sent: Monday, November 21, 2005 9:45 PM
To: unisog at lists.sans.org
Subject: [unisog] Cisco 2950 protected ports in residential halls


We are planning to block traffic between residential hall/dorm users by
configuring the ports on our Cisco 2950 access switches as "switchport
protected". In testing it all behaves as expected, with individual users
unable to talk to each other, but no problems with traffic to/from our
central servers. The aim is to reduce the problems caused by unpatched,
worm infected machines as well as to help eliminate copyright infringing
P2P traffic, games, video streaming etc. I appreciate this will be
unpopular with the users!

I'm interested to hear the experiences of others who have tried this,
and what sort of problems they came across. 


Royston Boot
Internet and Security Manager
Lincoln University
Canterbury, New Zealand

Phone: (64) (3) 325 2811 x8594
Cell:     (0274) 820 079

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list