[ale] OT: laptops on a network, security

Dow Hurst dhurst at kennesaw.edu
Mon Jun 2 12:56:26 EDT 2003


At KSU the logged MAC and assigned IP are mapped to a physical port at 
the time the DHCP request is replied to.  The campus is basically a 
untrusted network with anyone wanting protection from wireless and empty 
available network ports having to install their own network and host 
security.  Many here depend on Tripwire, vigilant patching, and also 
remote logs to track what is happening.  We do have a demarc firewall to 
keep out the bad guys in a limited way from the Internet, but the campus 
network is only watched closely.  This is what I have heard and noticed 
on my own.  I haven't talked to the routing staff to confirm that this 
is all we use.  No other solution so far is within reach cost wise and 
fitting into our "open" philosophy as a University.  We have good people 
who are working hard to stay on top of the tracking of the assigned 
IPs.  I trust to internal firewalls with a VPN, put in by Fly-By-Day 
Consulting, that protects us from the campus network.  Bob Toxen stays 
on top of the patching of the firewalls and I rest easy on that note.
Dow


J.M. Taylor wrote:

>Good point, Jonathan, I really ought to know better about asking a vague
>question like this. :) Let me see if I can collect my thoughts and
>present a more specific  post.
>
>We want to allow people to plug in their laptops. It is a political
>necessity.  In most cases, the University does not provide laptops to
>employees so we can consider all potential users (facutly, staff and
>students) as having untrusted machines.
>
>When a user gains access to our network using an untrusted machine, we
>want to provide a limited set of functionality (web, campus printers,
>and one or two specific services on specific machines).  I should think
>that we want to protect our network against attacks (as much as is
>feasable), and also we want to protect the world from idiots trying to
>attack from our network.  Much of this is already in place for the
>computer labs, and I don't know how flexible the setup would be to
>accommodate different laptops being plugged in.
>
>So my goals here are to find out
>1) if other universities would share their solutions with us :)
>2) what are the risks I'm not thinking of in this situation? ie, what do
>I need to think of securitywise that normal precautions taken in a
>computer lab can't cover (since the computer lab is a controlled OS, and
>the laptops would not be).  I recognize that our options are very
>limited, and that from a security perspective the outlook is pretty
>grim.
>3) Are there any technologies (such as RADIUS, of which I know next to
>nothing of its capabilities) that I should be acquainted with that will
>limit network access to authorized users, but not be machine-based?
>
>I'm not in charge of this project, so a laundry list of further research
>would be wonderful. I've never had any experience with this type of
>network, so I don't even know what questions to ask (fortunately, I'm
>not in charge of this project).  Thanks to all for the responses (and
>the more interesting ways of dealing with repeat offenders!!).
>
>Many thanks
>jenn
>
>Jonathan Rickman said:
>
>  
>
>>I suppose this all boils down to the classic security vs. practicality
>>argument that can't be discounted.
>>    
>>
>...
>  
>
>>If I were doing an
>>assessment on this professionally, I'd first want to know what your
>>goals are.
>>    
>>
>
>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>  
>

-- 
__________________________________________________________
Dow Hurst                  Office: 770-499-3428
Systems Support Specialist    Fax: 770-423-6744
1000 Chastain Rd. Bldg. 12
Chemistry Department SC428  Email:   dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*****************************************************************
This message (including any attachments) contains confidential  *
information intended for a specific individual and purpose,     *
and is protected by law.  If you are not the intended recipient,*
you should delete this message and are hereby notified that     *
any disclosure, copying, or distribution of this message, or    *
the taking of any action based on it, is strictly prohibited.   *
*****************************************************************


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list