[unisog] risks of a mixed network

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Tue Oct 24 15:58:04 GMT 2006

One thing you might try is to incorporate strict source address rules on
your ACLs.  We've found that it does stop a lot of junk from

Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376



From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Jenkins, Matthew
Sent: Tuesday, October 24, 2006 11:44 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] risks of a mixed network

I presume your students are purchasing cable modems themselves, and the
cable modem traffic will not be provided by the university.  Your safest
bet if you don't have a firewall is to put ACLs on the router acting as
the student's gateway.  We use ACLs on the gateways to lock down student
access very tight.  I'm not sure how you could actually prevent someone
from bridging the network using a dual homed workstation.



Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>


From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Josh Fiske
Sent: Tuesday, October 24, 2006 8:28 AM
To: UNIversity Security Operations Group
Subject: [unisog] risks of a mixed network


Hi all, 

I'm eager to get some input from other network/security folks...to make
sure I haven't missed anything on this one. 

At our site, we have residence halls for which we provide network
connectivity.  We have a PacketShaper which does P2P restriction and
bandwidth limiting.  Some students (particularly our gamers) are
interested in purchasing cable-modem service in their dorm room so that
they can play their games at a higher speed.  I'd love to be able to
provide these students with a solution that fits their needs (or wants),
but I need to balance that with any potential risks. 

In my mind, the main concern with this scenario is the risk of bridging
our site's network with the cable-modem provider.  Currently we have in
place Cisco switches with DHCP snooping enabled (so that DHCP responses
can only come from trusted ports), so I'm not too worried about a
backwards router providing address to the dorm's VLAN.  Obviously the
cable-modem would provide another entry point to the campus network (if
a machine were dual-homed or if bridging did occur), however at present
our ResNet doesn't have a firewall.  So, while the lack of a firewall is
a concern, the cable-modems would not introduct additional risk when
compared to the current situation.   

So, these are the things that I am thinking about.  What else would you
recommend considering?  Have I missed anything blatant? 

Thanks for your feedback, 

-- Josh
- - - - -
Joshua Fiske, Network and Security Engineer
Clarkson University, Office of Information Technology
(315) 268-6722 -- Fax: (315) 268-6570
jfiske at clarkson.edu

CONFIDENTIALITY:  This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited.  If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20061024/409bd69d/attachment.htm 

More information about the unisog mailing list