[unisog] Cisco 2950 protected ports in residential halls

PaulFM paulfm at me.umn.edu
Tue Nov 22 14:12:28 GMT 2005

"Login Script" is read from the machine that provides authentication of the 
user into their own machine.  To use this feature, you would have to add the 
user's machines to the Domain.   The danger - you would have to expose your 
domain controller to attacks by user machines (File and print sharing has to 
be open or the Login Script feature won't work).

Has anyone used "switchport protected" on ports connected to Wireless Access 
points.  Does it interfere with handoff from one access point to the next in 
any way?

Stasiniewicz, Adam wrote:

> Royston,
> We at one point did something similar to this.  Basically we have a
> large problem with viruses the spread via SMB.  So we started to block
> ports 137-139+445 at the switch level.  This did wonders at stopping
> these viruses, but because of the uproar from users (and a couple other
> issues) we decided to set the switches to only log when traffic on these
> ports was detected.  The biggest (legitimate) complaint from residents
> was that they like to move files among the multiple computers in their
> dorm room.  So they might have a desktop that they store "school files"
> on, that they would like to be able to access from a laptop across
> campus.  So we decided to only log these events.  Now when there is any
> above average load on the switches, the helpdesk staff will dump the
> logs from the switches, look for the person that is running the NetBIOS
> port scanner, and go bang on their door.
> Some other things we have done in this area:
> 1.  We make it standard policy that when an employee visits someone's
> room and either the person is not there, or they are not very
> cooperative to fix their computer immediately, we turn off their
> Ethernet port.  BTW: cooperative means that before the employee leaves
> the room, the problem is fixed.
> Granted this is not the friendliest of solutions, but we find the 5% of
> students end up complaining, but 50% of the students thank us for taking
> an active stance in correcting the problem.
> 2.  We have a mandatory laptop program at MSOE.  Basically all full-time
> students are given a new laptop every 2 years as part of the full-time
> tuition.  Because of this, we can control what software is installed on
> the laptops when they are issued.  Since the start of last year, all
> laptops have had 2 major setting turned on.  First the XP firewall was
> turned on, and second we set (via GPO) that automatic updates be turned
> on and install automatically.  This has also helped drastically.
> Understandably, most universities don't have mandatory laptop programs,
> but there are a few things most universities can apply.  For any
> "university owned" computer, be it a lab machine or office computer,
> turn on the firewall and make automatic updates enabled.  And for the
> students, you can specify in their login script that they must use
> Automatic Updates.  
> If anyone is not sure how to setup a login script to do this, please let
> me know and I will provide a quick guide.
> Hope the helps,
> Adam Stasiniewicz 
> Computer and Communication Services Department 
> Milwaukee School of Engineering 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Royston Boot
> Sent: Monday, November 21, 2005 9:45 PM
> To: unisog at lists.sans.org
> Subject: [unisog] Cisco 2950 protected ports in residential halls
> Hi,
> We are planning to block traffic between residential hall/dorm users by
> configuring the ports on our Cisco 2950 access switches as "switchport
> protected". In testing it all behaves as expected, with individual users
> unable to talk to each other, but no problems with traffic to/from our
> central servers. The aim is to reduce the problems caused by unpatched,
> worm infected machines as well as to help eliminate copyright infringing
> P2P traffic, games, video streaming etc. I appreciate this will be
> unpopular with the users!
> I'm interested to hear the experiences of others who have tried this,
> and what sort of problems they came across. 
> Thanks
> Royston Boot
> Internet and Security Manager
> Lincoln University
> Canterbury, New Zealand
> Phone: (64) (3) 325 2811 x8594
> Cell:     (0274) 820 079
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list