Advice on our campus network, internal

T

TrEpIdAtIoN

Limp Gawd
Joined
Jan 30, 2002
Messages
225
Just so you know this isn't how can i get by the firewall question.

Well with all the virus problems this year has really taken a shot at our network. I was wondering if anyone else works at a college campus and what they do to make sure their students install Windows updates/AV of some kind installed. Most the kids here are ABSOLUTELY clueless, despite the classes we make every freshman take. We even provide Symantec AV Corp. free DL while on campus. We have a little less 6000 students, smaller college. There are gig fiber links to every hall most students ports are at 10megs since all they do it Instant Messenger. We were looking at that cisco reg ___ something i forget the name. When tweaked with, gives out a non-routable ip verifys the computer has "x" updates then gives a routeable ip once it has passed the verification. Unfortunately trying to make the kids join any domain isn't really an option, workforce on campus really...(PS)The administration side of the network logs into domain, we control that fine.

So in essence i'm just wondering what other people do?
Thanks (hope i made sense :-P )
 
aside from manually inspecting each machine, there isn't much you can do....

except for justwatching traffic, blocking problem mac addresses, and sending the person in question a notification that they've got issues and need to come see you before they'll be allowed back on the network.

your best option as far as keeping viruses and other weird activitiy at a minimum, is to block ALL traffic that isnt on ports 21, 25, 80, and 110. you can add the ports for IM apps if you want to allow them, or anything else for that matter. it's easy to set up, easy to enforce, and doesnt require an insane amount of manpower - except to field all the calls of 'my kazaa doesnt work anymore'
 
Why should you care if someone screws over their own computer ? If a specific mac address is linked to huge usage just turn them off. Otherwise just let the dumb weed themselves out.


/edit

I really hate filtered ports. I hate when people think they know whats best for me. To me, a filtered network is worse then censoring the press or abridging my freedom of speech. (granted its not a right, but it dam well should be !)
 
Well my roommate works with the admin guys at a univerisity here in halifax and he told me that they wrote a script to check if any of the computers were listening for the specific port for the MyDoom worm (it was 13xx i think) then they'd know those comps were infected.

As for a prevention method, I don't know what they're doing.
 
Originally posted by karoth

I really hate filtered ports. I hate when people think they know whats best for me. To me, a filtered network is worse then censoring the press or abridging my freedom of speech. (granted its not a right, but it dam well should be !)
Click to expand...

and i hate being on teh receiving end of them as well, but when working with users that are too stupid to understand what leaving kazaa and winmx running all day while they're not around leads to, and when the tech budget is too limited to pay for more bandwidth, and 60% of the traffic is file sharing, 25% is instant messenging and the remainder is a mix between porn and legitamite usage - there arent any other options.

it sucks i know, but without money to buy more bandwidth, or to hire more IT staff, or to educate users, or to set up a more elegant solution involving some form of QOS, it becomes a viable option, and frequently the only option.

besides, there are always ways to circumvent security measures of this sort, i know, i've created as many as i've slipped past. the difference, is that only the users that IMO deserve more get more.
 
.
Why should you care if someone screws over their own computer ? If a specific mac address is linked to huge usage just turn them off. Otherwise just let the dumb weed themselves out.
Click to expand...

Is that what you think it's about? Worrying about Joe Blow infecting and harming his own PC? Surely your thinking isn't that narrow, or naive. News flash. Many/most virus infect and spread, via whatever transport their coded to use. Last statement sounds like the mark of a student that hasn't gotten his way lately. Awwwww. Dope.
 
Yeah i would almost agree with letting the kids go..but when it screws up everyone else, gotta do something about it. We have been just turning ports off remotely, it doesn't help how the kids call the Dell Gateway etc...and their "fix all" tool is a good old system restore, which usually sets their system back pre-any window's patches and Antivirus :-p
Oh well thanks guys
 
To the main point:

It seems in this debate the only thing that needs to be controlled is bandwidth/traffic, not individual computers or users. The school is only an ISP in this case. As long as the jacks are on and the packets are flowing no user should be complaining. If they do they should be brow beat accordingly. If the school can't afford the bandwidth/traffic it should get out of the ISP business, or change pricing to reflect actual costs. Money/Cost is the greatest motivator.....


To the tangents:

When a worm spreads via defects in software, it is normally quickly publicized. Even if your slow on the uptake you can keep yourself patched, behind firewalls/routers, or just oss to start with ;)

I'm on no filtered networks. When i have been it was simple to circumvent.

O, and a virus doesn't spread on its own, a worm does (just to nit pick).

/edit

i edit too much.... anyways...

TrEpIdAtIoN: how exactly does one person screwing up their computer "screws up everyone else" ?

question: userA is dumb, unpatched and catches a worm. userB is also dumb, catches the same worm from userA. userTrEpIdAtIoN is patched (or oss), and catches no worms. How, besides bandwidth/traffic, is userTrEpIdAtIoN effected by userA or userB ?

Thus bringing me back to my first point, bandwidth/traffic is the only issue.
 
Originally posted by karoth
How, besides bandwidth/traffic, is userTrEpIdAtIoN effected by userA or userB ?

Thus bringing me back to my first point, bandwidth/traffic is the only issue.
Click to expand...


when userA and userB infect usersC-ZZZ, and flood the network, with autogenerated, virus infected emails, bringing the local network to a crawl; if not down completely. this is a very real problem, first widely seen with code-red - the specifics were a tad different, but for teh sake of arguement and in this scenario, everything's close enough.


look at the scenario we've already got here, with 6000 students, if even half of them (which is an extremely low number mind you) are unpatched and unprotected, besides the legitamite traffic, and the file sharing traffic, you now have 3000 some odd machines constantly spitting out virus laden auto-generated emails, or ddos'ing sco, or whatever the current flavor of the week is. this ADDITIONAL unwanted traffic can be enough, if concentrated in certain areas, to bring down portions of networks. or at the absolute minimum cut the available net bandwidth down to 2/3 what it should be, which for a school, is just not an option when the only reason for it is uneducated users.
 
You could set up windows SUS on a windows server, and download all the updates. Make a registry update file for all the win2k/xp clients. Monitor traffic on a site where the registry update can be downloaded, and put the IPs on a block list until they request the file from your web server. Not exactly sure how you'd do this, probably make the page run a script on your server that would telnet into the router and unblock the ip.
 
Virus/Worm i used interchangebly.....I could understand why you would make an arguement that it's a bandwith issue, although did you experience blaster/welchia?? because that made even the best of networks crawl. I know Case Western which is one o the most wired campuses in America went to a crawl and they have gig fiber connections to every room. Being a University we really can't tell the students "screw you" either, would you like us to tell you kids that? Politics and making people happy come into play. And controlling traffic is what i was asking about originally. Maybe in my own mixed up head but essentially that is what i was wondering about. We had a packetshaper but was 'incompatible' with our nokia firewall running checkpoint, or so the checkpoint people say...who knows.
 
Originally posted by TrEpIdAtIoN
I could understand why you would make an arguement that it's a bandwith issue
Click to expand...


well, if it's not the lack of bandwidth, or networking performance that's bothering you, then what's your complaint?

if you're already in good shape there, who gives a rats ass if all the students machines are infected with every major worm in the last two years? yeah, they'll have stability problems, yeah, they'll have slow machines, yeah, they'll be getting a constant barrage of complaints from outside sources regarding the infected emails they're spreading, yeah, dell will tell them to do a system restore, and they'll lose everything one their machine every other month, but why does that concern you or anybody else? as long as you offer to help them, or show them how to protect themselves, it's up to them to take care of themselves.

if the school owned the computers, it'd be different. but if they are the students property, and you don't care about the traffic they're creating, then just leave em alone.
 
Have you guys looked into any IDS solutions from Cisco? They are getting better every day at combatting virii via signature updates. We run them on our network here at the Credit Union I admin. I'm very impressed. We haven't had one virus infection in over 12 months. (knocks on wood and checks the McAfee Epolicy Server immediately :D )
 
This is starting to sound like less of a technical issue and more about the need for network policies. If a user wants to use the school's network they're going to have to sign an acceptable use policy/network license. I see no reason why that same license couldn't include a few lines stating they'll use the school supplied AV software (at the very least). Write a script and have it periodically check for applied software/updates. If the AV is out of date it can alert the admin and he can send an email (or you could automate the email generation). If the AV sig files are not updated within x hours/days the port they're on gets locked and they have to call the NCC to have it unlocked (and prove they won't fail to meet their network license agreement in the future). This is very similar to how corportate networks do business. But since this is a bit different as the school is taking more of an ISP approach, the process may have to seriosly morph in order to be viable.
 
Lets see, what have i done for my university (Kent State U., Ohio) as a Student LAN Admin/Computer Consultant:
When Blaster/Nachi Hit i was already on campus, in 6 hours i created a CD image with an AutoIT Script that ran Stinger.exe (Small common virus checker) installed all the necessary patches and service packs for that particular OS, and installed our version of mcafee and updated it, We made 2000 cds for our 6000 expected residence with computers. We made fliers, we talked to RAs and RHDs. The plan was to have the student pass the disk when they were done with it:

It Worked; We had a less than 1% infection ratio with our dorm residences. A few days latter an article came out in our schools newspaper about what had happened. The last line read : "I just put the disk in my computer and it just worked, it was really easy!" Made me feel great.

In any case, for other viruses, if they dont have uptodate dats, we charge them $20. Processes goes something like this:
1. Network Services lets us know of infected machines usually within a day of the virus coming out
2. We block ports, add bans to users accounts, and call them
3. they bring the computer down to us, we clean and install our own mcafee version and setup all the auto updates and stuff so they work correctly
4. User pays $20 fee (coughFINECough) and has a up-to-date and clean system

works pretty good!
 
Is there a way to put all the users on the domain and force the updates over to them? Or make everyone turn on the "Automatically download and install updates" feature.
 
some very good ideas thanks, it's pretty hard to enforcing them to log into the domain...it is their computer.
 
I think I like some of the ideas being put forth. Turn off the jack of where a worm is known to be spreading itself. Problem would be detecting the troubled systems.

Rombus: how does your "Network Services" know of infected machines ?

and

BobSutan: It seems unlikely anyone on the IT staff is going to "Write a script and have it periodically check for applied software/updates". You would have to manually write such scripts for every possible patch/OS, and how you could determine what specific updates a machine has from outside is beyond me. It is a difficult task from in front of the keyboard much less the far side of the network.
 
Actually with all Cisco equip on our campus we can specify what port from its IP address using CiscoWorks.
 
Here at New Mexico Tech they turn off ports within about 10 mins of getting a virus. MSBlaster was a big deal here when everybody moved in, everybody got their ports tunred on for about 10 mins and then back off once they caught the virus. They were turned back on as soon as the computer was patched and the stars were aligned right (sometimes weeks). This semester you had to sign a thing saying that you would patch your computer for everything.

Supposedly the way they detect a lot of things is by detecting when a computer pings faster than a certain rate. Some programs like sharescan can trigger this, but its mostly virii.
 
how about you block ports on their end, things like 25, since most SMTP servers on student's machines will probably be trojans/viruses, and if they want them unblocked (aka they arnt computer incompetent) you make them sign a little forum and be done with it
 
Originally posted by karoth
BobSutan: It seems unlikely anyone on the IT staff is going to "Write a script and have it periodically check for applied software/updates". You would have to manually write such scripts for every possible patch/OS, and how you could determine what specific updates a machine has from outside is beyond me. It is a difficult task from in front of the keyboard much less the far side of the network.
Click to expand...

Our network shop has a list of software that needs to be on every computer, which it does check. And if there is a patch for it, it'll check to see if you've got it as well. Same with Anti-Virus.

If you can build a login script this wouldn't any more difficult. The only real difference is that this wouldnt just run when they login. You'd have to schedule it to be periodically ran, or whenever updated for a potential virii outbreak.

Of course I could be totally off the mark. I'm not much of a systems guy anymore as the majority of my work the last 5 years has been with infrastructure.
 
Originally posted by karoth

Rombus: how does your "Network Services" know of infected machines ?
Click to expand...

Well, if they know a port the virus is using to do whatever its doing, they run scans on our network for those ports. If open, The MAC of the computer gets dropped from the DHCP table and put on the ban list, then its reported to us. Otherwise any unusuall traffic gets reported to them due custom written software. If there is a hole we feel is serious and people need to patch (happend a few times last semester with IE And windows holes) NS has a way to scan the computer and put them on a blocklist, when they try to open a site, They get redirected to a blockpage, explaining what happend and how to fix it. I dont know exactly how they do that, but if you want i could find out for you?
 
Originally posted by Rombus
NS has a way to scan the computer and put them on a blocklist, when they try to open a site, They get redirected to a blockpage, explaining what happend and how to fix it. I dont know exactly how they do that, but if you want i could find out for you?
Click to expand...

Please do. Its something I've been wondering about for some time. Sounds a lot like how WiFi hotspot providers redirect all web access to their signup pages (unless you're already subscribed).
 
Last fall, when Blaster was running rampant, we ended up threatening to pull all of our dorms off of the network if students didn't patch their systems. It was very well publicized on campus, yet most student's systems were still wide open. So, all dorms were pulled from the network. Computers weren't put back on until they were certified (by hand) clean by University staff.

For a while our Network Engineers were monitoring traffic, and only pulling infected systems off of the network. After a few 24 hour shifts, they said, "screw this" and pulled the plug.

The general consensus amongst our students now seems to be that we did the right thing in pulling them off of the network. It's a tough call.

If you mandate patches, or go even further and mandate that users use a central SUS server, do you take on legal liability when you authorize the release of a patch which breaks things? If I were a student, you made me install a patch, and anything on my computer stopped working, I would blame you.

The impetus for securing a computer lies with the owner of the computer. If the owner makes the choice to ignore security, they must face the consequences of their choice. To that end, I think that active scanning be the University should be permitted. Vulnerable systems negatively impact the entire community. Make the irresponsible users suffer for their own actions, rather than make the masses suffer.

That's my $0.02 on the issue...
 
You must log in or register to reply here.
Back
Top