Students' computers...

Discussion in 'Computer Security' started by Geir Holmavatn, Sep 29, 2005.

  1. Hi,

    On a relatively small campus students will be allowed to user their
    notebooks in the dorms area.

    They will have access to file- and print server (Linux / samba) and also to
    the internet.

    We cannot check their anitvirus maintenance etc centrally.

    What tips do you give as of security measurements in this scenario?

    regards

    Geir
     
    Geir Holmavatn, Sep 29, 2005
    #1
    1. Advertising

  2. Geir Holmavatn

    Steve Welsh Guest

    Geir Holmavatn wrote:

    > We cannot check their anitvirus maintenance etc centrally.


    Why not? An educational institution that I know has grown so concerned
    that they are checking a huge number (into 4 figures) of student
    machines, and not a single student will have their services enabled
    until they can prove that they have a clean machine with up-to-date
    anti-virus software fitted.

    Steve
     
    Steve Welsh, Sep 29, 2005
    #2
    1. Advertising

  3. "Steve Welsh" <> skrev i melding
    news:...
    > Geir Holmavatn wrote:
    >
    > > We cannot check their anitvirus maintenance etc centrally.

    >
    > Why not? An educational institution that I know has grown so concerned
    > that they are checking a huge number (into 4 figures) of student
    > machines, and not a single student will have their services enabled
    > until they can prove that they have a clean machine with up-to-date
    > anti-virus software fitted.


    OK, do you know how they practically do this? Employ staff who check it
    every morning...?

    Geir
     
    Geir Holmavatn, Sep 30, 2005
    #3
  4. Geir Holmavatn

    Steve Welsh Guest

    No, it's not done every morning, but it is at least done once, when they
    arrive on campus. They even supply AV to those students without (on our
    site license). That way they can at least _start_ the academic year
    without the network coming under attack.

    Students are also not allowed to plug their laptops into the normal
    campus sockets - they are only allowed to plug in to a special network
    (colour coded patresses).

    Steve

    Geir Holmavatn wrote:
    > "Steve Welsh" <> skrev i melding
    > news:...
    >
    >>Geir Holmavatn wrote:
    >>
    >>
    >>>We cannot check their anitvirus maintenance etc centrally.

    >>
    >>Why not? An educational institution that I know has grown so concerned
    >>that they are checking a huge number (into 4 figures) of student
    >>machines, and not a single student will have their services enabled
    >>until they can prove that they have a clean machine with up-to-date
    >>anti-virus software fitted.

    >
    >
    > OK, do you know how they practically do this? Employ staff who check it
    > every morning...?
    >
    > Geir
    >
    >
     
    Steve Welsh, Sep 30, 2005
    #4
  5. Geir Holmavatn

    Dazz Guest

    On Fri, 30 Sep 2005 08:30:11 +0100, Steve Welsh <>
    wrote:

    >No, it's not done every morning, but it is at least done once, when they
    >arrive on campus. They even supply AV to those students without (on our
    >site license). That way they can at least _start_ the academic year
    >without the network coming under attack.


    Only when they arrive on campus? What about the rest of the academic
    year?

    What do campus staff have in place to ensure that *all* users are
    keeping their virus definitions up-to-date? What about security
    patches? Are campus staff insisting that they also use firewalls?

    Exactly how much is managed by the campus staff and how much is left
    in the hands of the users?

    How do campus staff enforce these policies and ensure that they are
    adhered to?

    Is the network segmented or isolated from other more sensitive areas
    of the network?

    Are campus staff also employing the use of firewalls and anti-virus
    gateways to help protect the network?

    Dazz
     
    Dazz, Sep 30, 2005
    #5
  6. Geir Holmavatn

    Shadus Guest

    On 2005-09-29, Geir Holmavatn <> blabbed:
    > What tips do you give as of security measurements in this scenario?


    One thing I would be sure to do is have a firewall on the edge of the
    network to prevent scanning and attacks of opportunity.
     
    Shadus, Sep 30, 2005
    #6
  7. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Shadus wrote:
    > On 2005-09-29, Geir Holmavatn <> blabbed:
    >
    >>What tips do you give as of security measurements in this scenario?

    >
    >
    > One thing I would be sure to do is have a firewall on the edge of the
    > network to prevent scanning and attacks of opportunity.


    We, at Calkvin College, use Campus Manager from Brandford Networks
    URL:http://www.bradfordnetworks.com/

    This product will scan for lot of stuff before letting a machine on the
    network. It has alot of backend stuff (vlans, a control server...)

    It might be worth a look...
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFDPUuc75lPrRo1ceARAx+cAKD2DPCctDcxCjcFn0j1gSvn9y5MTwCguZGR
    T814VjEezid2CCE9nWkeouY=
    =I56E
    -----END PGP SIGNATURE-----
     
    Brian J. Baas, CISSP, Sep 30, 2005
    #7
  8. Geir Holmavatn

    Unruh Guest

    "Geir Holmavatn" <> writes:

    >Hi,


    >On a relatively small campus students will be allowed to user their
    >notebooks in the dorms area.


    >They will have access to file- and print server (Linux / samba) and also to
    >the internet.


    >We cannot check their anitvirus maintenance etc centrally.


    >What tips do you give as of security measurements in this scenario?


    Scream and hide your head under a pillow.

    a) Put them all behind a firewall and let through only ports like ssh and
    http/https
    b) tell them that if they get a virus which harms others, they will be
    immediately blackballed from the net. (mac address blackballing for
    example)


    >regards


    >Geir
     
    Unruh, Sep 30, 2005
    #8
  9. Geir Holmavatn

    Torch Guest

    On Fri, 30 Sep 2005 00:07:12 +0200, Geir Holmavatn wrote:

    > Hi,
    >
    > On a relatively small campus students will be allowed to user their
    > notebooks in the dorms area.
    >
    > They will have access to file- and print server (Linux / samba) and also to
    > the internet.
    >
    > We cannot check their anitvirus maintenance etc centrally.
    >
    > What tips do you give as of security measurements in this scenario?
    >
    > regards
    >
    > Geir


    I wouldn't advise letting them have access to the main network. At least
    have them on a separate network with a central router. If they have a
    security vulnerability, you have a security vulnerability as well.
     
    Torch, Sep 30, 2005
    #9
  10. "Torch" <> skrev i melding
    news:Z0h%e.95624$...

    > I wouldn't advise letting them have access to the main network. At least
    > have them on a separate network with a central router. If they have a
    > security vulnerability, you have a security vulnerability as well.


    In the dorm area there will be an internet-only wireless net.

    However in the classrooms they will need to connect to the campus student
    LAN (which of course is separated from the teachers / admin network).

    The student LAN should consist of internet connection, intranet server, file
    servers and print servers. We're around 300 users.

    Does it exist case studies with useful info for implementing such
    networks..?

    Geir
     
    Geir Holmavatn, Sep 30, 2005
    #10
  11. Geir Holmavatn

    Steve Welsh Guest

    Dazz wrote:
    > On Fri, 30 Sep 2005 08:30:11 +0100, Steve Welsh <>
    > wrote:
    >
    >
    >>No, it's not done every morning, but it is at least done once, when they
    >>arrive on campus. They even supply AV to those students without (on our
    >>site license). That way they can at least _start_ the academic year
    >>without the network coming under attack.

    >
    >
    > Only when they arrive on campus? What about the rest of the academic
    > year?
    >
    > What do campus staff have in place to ensure that *all* users are
    > keeping their virus definitions up-to-date?


    If they take on 'the' site license software and they are connected to
    the campus network, it's done automatically. But in any case it is many
    orders of magnitude better than just a couple of years ago, when the
    protection was _zero_ :(

    What about security
    > patches? Are campus staff insisting that they also use firewalls?


    They are behind the campus firewall anyway

    >
    > Exactly how much is managed by the campus staff and how much is left
    > in the hands of the users?
    >
    > How do campus staff enforce these policies and ensure that they are
    > adhered to?


    Dunno - not that close to it :-O

    >
    > Is the network segmented or isolated from other more sensitive areas
    > of the network?


    Yes, very much so

    >
    > Are campus staff also employing the use of firewalls and anti-virus
    > gateways to help protect the network?


    As above

    >
    > Dazz
    >
     
    Steve Welsh, Sep 30, 2005
    #11
  12. Geir Holmavatn

    Winged Guest

    Steve Welsh wrote:
    > No, it's not done every morning, but it is at least done once, when they
    > arrive on campus. They even supply AV to those students without (on our
    > site license). That way they can at least _start_ the academic year
    > without the network coming under attack.
    >
    > Students are also not allowed to plug their laptops into the normal
    > campus sockets - they are only allowed to plug in to a special network
    > (colour coded patresses).
    >
    > Steve
    >
    > Geir Holmavatn wrote:
    >
    >>"Steve Welsh" <> skrev i melding
    >>news:...
    >>
    >>
    >>>Geir Holmavatn wrote:
    >>>
    >>>
    >>>
    >>>>We cannot check their anitvirus maintenance etc centrally.
    >>>
    >>>Why not? An educational institution that I know has grown so concerned
    >>>that they are checking a huge number (into 4 figures) of student
    >>>machines, and not a single student will have their services enabled
    >>>until they can prove that they have a clean machine with up-to-date
    >>>anti-virus software fitted.

    >>
    >>
    >>OK, do you know how they practically do this? Employ staff who check it
    >>every morning...?
    >>
    >>Geir
    >>
    >>

    Or you can employ CE edition with slight markup for students and deploy
    corporate edition with a console..even with the markup..cost will be
    lower to students than COTS product will cost students. Additional
    bonus is AV won't time out during year and leave you a vulnerability
    hole. Set it up so it checks when student logs on for current defs and
    centrally get virus reports and whose av is operational. This also
    reduces bandwidth requirements as defs are retrieved from internal
    server. Server doesn't need to be much more than dedicated hardened pc.

    Mark up CE licenses say by 10$ and you should be able to cover cost of
    pc and service.,depending on number of students involved. This will
    cost student about half of traditional cots av/firewall package. The
    console will highlight issues and client rules can be centrally
    controlled with minimal effort. Add one of several open source packages
    to push patches or ensure that win update is turned on..and your 90%
    there. Several Linux flavors also have auto update capabilities, but
    don't know influence you have for Linux boxes.

    The eliminates major staff effort and probably can be managed by techy
    in charge of network.

    Winged
     
    Winged, Oct 1, 2005
    #12
  13. Geir Holmavatn

    Dazz Guest

    On Fri, 30 Sep 2005 23:15:59 +0100, Steve Welsh <>
    wrote:

    <snipped>

    >If they take on 'the' site license software and they are connected to
    >the campus network, it's done automatically. But in any case it is many
    >orders of magnitude better than just a couple of years ago, when the
    >protection was _zero_ :(


    Yeah, there always has to be a starting point. As long as no-one gets
    complacent about it and thinks "Well, we've done our bit and that's
    all we have to do".

    > What about security
    >> patches? Are campus staff insisting that they also use firewalls?

    >
    >They are behind the campus firewall anyway


    My concern would be more about what was happening on the internal
    network

    >> Exactly how much is managed by the campus staff and how much is left
    >> in the hands of the users?
    >>
    >> How do campus staff enforce these policies and ensure that they are
    >> adhered to?

    >
    >Dunno - not that close to it :-O


    Ahh.

    >> Is the network segmented or isolated from other more sensitive areas
    >> of the network?

    >
    >Yes, very much so


    That's always good. :)

    >> Are campus staff also employing the use of firewalls and anti-virus
    >> gateways to help protect the network?

    >
    >As above


    The questions I asked are more or less the same questions that the
    Library I'm currently contracting at will find itself in very shortly
    (and to a lesser degree, the situation they are already in).

    Currently, our staff are using the same servers (Citrix environment)
    and network as the library patrons. The really cluey patrons out
    there can literally access many of the same services that staff
    access, even though we've tried to nail them down as much as possible.

    Unfortunately, being a Gov entity, there are so many levels of
    beaurocracy that it's not funny. When I first walked in (a few months
    back) I looked at the current setup and said "Oh, my freaking god"
    (substitute "freaking" for another word ;-P ).

    Because the Library is supposed to be "open" for the patrons and
    because senior management believe in enforcing this "openness" (at the
    cost of security), we are in a constant struggle to stay on top.

    They have plans to introduce wireless access for the patrons once the
    new building is opened up, and we are going to find ourselves in a
    similar position to that which was described in the OP's first post,
    and your response. :-(

    Hopefully, senior management will listen to what we have to say - but
    I suspect they won't. :-(

    Dazz
     
    Dazz, Oct 1, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jack Barrett

    Office Certification for High School Students?

    Jack Barrett, Oct 1, 2003, in forum: Microsoft Certification
    Replies:
    2
    Views:
    923
    Jack Barrett
    Oct 1, 2003
  2. Reiter Peter

    free certification for students?

    Reiter Peter, Nov 15, 2003, in forum: Microsoft Certification
    Replies:
    2
    Views:
    831
    Masud Chowdhury
    Jan 18, 2004
  3. Daniel

    50% discount for students taking microsoft certification

    Daniel, Aug 24, 2004, in forum: Microsoft Certification
    Replies:
    4
    Views:
    730
    =?Utf-8?B?V2lsbGlhbQ==?=
    Aug 26, 2004
  4. Christopher Armstrong

    Exam Discounts for Students

    Christopher Armstrong, Jul 23, 2003, in forum: MCSE
    Replies:
    3
    Views:
    414
    David Maggard
    Jul 29, 2003
  5. Replies:
    0
    Views:
    724
Loading...

Share This Page