[unisog] University ResNet IP address Management

Jeffrey Utter utterjef at msu.edu
Tue Jul 24 17:09:07 GMT 2007


Our system at Michigan State University works exactly the same for our 
wired network, but we don't use it for wireless.  We don't allow the 
user to specify a hostname however, but we do allow them to choose for 
it to be anonymized and not based on their username.  We do a clean up 
on this system every summer which requires computers that have not been 
active in 3 months to re-register, catches most returning students and 
helps keep our database under control.  The network management team 
handles the subnets and ensuring that there are enough IPs to go around, 
they get an alert when a threshold is met.

If you want more details on what we do let me know and I can forward 
your contact info to those that administer the service.

-- 
Jeff Utter
Network Security
Michigan State University
Academic Computing and Network Services
301 Computer Center
utterjef at msu.edu
517.432.7304


Peter John Hill wrote:
> Out of all the places I have worked, Carnegie Mellon has the best  
> system.
> 
> http://www.net.cmu.edu/netreg/
> 
> Instead of using the same size network blocks for every dorm, they  
> know from historical data how big a subnet should be and track  
> closely if they get close to capacity. It is relatively simple for  
> them to expand a subnet or move on due to their tools (Netreg).
> 
> A new student comes into the dorm, connects their machine to an  
> ethernet port or wireless, since that machine is not registered  
> (known by MAC addr, not perfect, but good enough to get onto the  
> network), the user opens a web page and get redirected to a secure  
> web form, their mac address already filled in, complements of the  
> dhcp server, which is tightly coupled into the system. The user can  
> pick their hostname and choose from allowed subdomains. If they want  
> to add a CNAME, or change their TTL, they can. There is no a database  
> entry that ties that mac address to a username and a group (from  
> LDAP), so that if the machine is found to be infected or doing  
> something bad, we know who to contact.
> 
> When students later connect to the network they get a dhcp address  
> from the available pool, and the dhcp server updates the DNS server  
> dynamically with TSIGs...
> 
> Requires mysql (or some other sql database with modification), ISC- 
> DHCP, BIND, Apache, and Perl.
> 
> The system is not designed to do any user authentication once a  
> machine is registered... It is to tie a username to a mac address. If  
> we find that someone is spoofing a MAC address, we will track down  
> the duplicate mac address down to a switchport and investigate. That  
> would be treated as an abuse case.
> 
> On top of the data in the netreg database, they also put together  
> software called Epidemic, or netnotify. It is used to track abuse  
> incidents. It can automatically suspend a machine registration (host  
> still gets an ip address, but it is filtered on their local router).  
> It sends out warning emails, can interact with the switches and  
> routers to redirect infected machines to a web site to download  
> whatever patch is needed to fix whatever issue is found. The user can  
> then rescan their machine from a web page (if remote detection of fix  
> is possible) or else click a button saying, yes I cleaned my machine.
> 
> Any kind of forging a mac address to get around filters or not  
> cleaning your machine but saying to did results in an abuse case.
> 
> They also have their bandwidth quota system tied into both netreg and  
> epidemic.
> 
> http://www.net.cmu.edu/pres/jt0803/
> http://bwmo.net/
> 
> Hope at least one thing in here was useful...
> 
> Peter
> 
> 
> 
> 
> On Jul 24, 2007, at 5:33 AM, Fred Portnoy wrote:
> 
>> We have allocated a.b.c.0/23 blocks of public address space to our  
>> ResNet
>> VLANs in residence halls. Students are assigned addresses by DHCP at
>> connection time, and are required to authenticate and undergo a host
>> integrity check to be allowed full network access. We are currently
>> implementing Bradford (today is day two of the implementation team  
>> on-site);
>> we expect that once students are authenticated and approved by  
>> Bradford, and
>> are moved into one of the pre-existing ResNet VLANs, they will  
>> continue to
>> be assigned a DHCP address on the appropriate ResNet VLAN as they  
>> have been
>> before.
>>
>> -fp
>>
>> Date: Mon, 23 Jul 2007 10:51:00 -0500
>> From: "Jason Murray" <jemurray at zweck.net>
>> Subject: [unisog] University ResNet IP address Management
>> To: unisog at lists.dshield.org
>> Message-ID:
>> 	<4fc813b0707230851k695e2023j5b0be8659593b341 at mail.gmail.com>
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>>
>> I am interested in how other Universities are managing (allocating)  
>> the IP
>> space in their residential halls?
>>
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list