> We cannot check their anitvirus maintenance etc centrally.
Why not? An educational institution that I know has grown so concerned
that they are checking a huge number (into 4 figures) of student
machines, and not a single student will have their services enabled
until they can prove that they have a clean machine with up-to-date
anti-virus software fitted.
"Steve Welsh" <sjw@stevew.net> skrev i melding
news:KfmdnRo1JccT96HenZ2dnUVZ8qqdnZ2d@eclipse.net. uk...
> Geir Holmavatn wrote:
>
> > We cannot check their anitvirus maintenance etc centrally.
>
> Why not? An educational institution that I know has grown so concerned
> that they are checking a huge number (into 4 figures) of student
> machines, and not a single student will have their services enabled
> until they can prove that they have a clean machine with up-to-date
> anti-virus software fitted.
OK, do you know how they practically do this? Employ staff who check it
every morning...?
No, it's not done every morning, but it is at least done once, when they
arrive on campus. They even supply AV to those students without (on our
site license). That way they can at least _start_ the academic year
without the network coming under attack.
Students are also not allowed to plug their laptops into the normal
campus sockets - they are only allowed to plug in to a special network
(colour coded patresses).
Steve
Geir Holmavatn wrote:
> "Steve Welsh" <sjw@stevew.net> skrev i melding
> news:KfmdnRo1JccT96HenZ2dnUVZ8qqdnZ2d@eclipse.net. uk...
>
>>Geir Holmavatn wrote:
>>
>>
>>>We cannot check their anitvirus maintenance etc centrally.
>>
>>Why not? An educational institution that I know has grown so concerned
>>that they are checking a huge number (into 4 figures) of student
>>machines, and not a single student will have their services enabled
>>until they can prove that they have a clean machine with up-to-date
>>anti-virus software fitted.
>
>
> OK, do you know how they practically do this? Employ staff who check it
> every morning...?
>
> Geir
>
>
On Fri, 30 Sep 2005 08:30:11 +0100, Steve Welsh <sjw@stevew.net>
wrote:
>No, it's not done every morning, but it is at least done once, when they
>arrive on campus. They even supply AV to those students without (on our
>site license). That way they can at least _start_ the academic year
>without the network coming under attack.
Only when they arrive on campus? What about the rest of the academic
year?
What do campus staff have in place to ensure that *all* users are
keeping their virus definitions up-to-date? What about security
patches? Are campus staff insisting that they also use firewalls?
Exactly how much is managed by the campus staff and how much is left
in the hands of the users?
How do campus staff enforce these policies and ensure that they are
adhered to?
Is the network segmented or isolated from other more sensitive areas
of the network?
Are campus staff also employing the use of firewalls and anti-virus
gateways to help protect the network?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Shadus wrote:
> On 2005-09-29, Geir Holmavatn <geir2@hotmail.com> blabbed:
>
>>What tips do you give as of security measurements in this scenario?
>
>
> One thing I would be sure to do is have a firewall on the edge of the
> network to prevent scanning and attacks of opportunity.
This product will scan for lot of stuff before letting a machine on the
network. It has alot of backend stuff (vlans, a control server...)
It might be worth a look...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>On a relatively small campus students will be allowed to user their
>notebooks in the dorms area.
>They will have access to file- and print server (Linux / samba) and also to
>the internet.
>We cannot check their anitvirus maintenance etc centrally.
>What tips do you give as of security measurements in this scenario?
Scream and hide your head under a pillow.
a) Put them all behind a firewall and let through only ports like ssh and
http/https
b) tell them that if they get a virus which harms others, they will be
immediately blackballed from the net. (mac address blackballing for
example)
On Fri, 30 Sep 2005 00:07:12 +0200, Geir Holmavatn wrote:
> Hi,
>
> On a relatively small campus students will be allowed to user their
> notebooks in the dorms area.
>
> They will have access to file- and print server (Linux / samba) and also to
> the internet.
>
> We cannot check their anitvirus maintenance etc centrally.
>
> What tips do you give as of security measurements in this scenario?
>
> regards
>
> Geir
I wouldn't advise letting them have access to the main network. At least
have them on a separate network with a central router. If they have a
security vulnerability, you have a security vulnerability as well.
"Torch" <nospam@nowhere.net> skrev i melding
news:Z0h%e.95624$qY1.65945@bgtnsc04-news.ops.worldnet.att.net...
> I wouldn't advise letting them have access to the main network. At least
> have them on a separate network with a central router. If they have a
> security vulnerability, you have a security vulnerability as well.
In the dorm area there will be an internet-only wireless net.
However in the classrooms they will need to connect to the campus student
LAN (which of course is separated from the teachers / admin network).
The student LAN should consist of internet connection, intranet server, file
servers and print servers. We're around 300 users.
Does it exist case studies with useful info for implementing such
networks..?
Dazz wrote:
> On Fri, 30 Sep 2005 08:30:11 +0100, Steve Welsh <sjw@stevew.net>
> wrote:
>
>
>>No, it's not done every morning, but it is at least done once, when they
>>arrive on campus. They even supply AV to those students without (on our
>>site license). That way they can at least _start_ the academic year
>>without the network coming under attack.
>
>
> Only when they arrive on campus? What about the rest of the academic
> year?
>
> What do campus staff have in place to ensure that *all* users are
> keeping their virus definitions up-to-date?
If they take on 'the' site license software and they are connected to
the campus network, it's done automatically. But in any case it is many
orders of magnitude better than just a couple of years ago, when the
protection was _zero_ :(
What about security
> patches? Are campus staff insisting that they also use firewalls?
They are behind the campus firewall anyway
>
> Exactly how much is managed by the campus staff and how much is left
> in the hands of the users?
>
> How do campus staff enforce these policies and ensure that they are
> adhered to?
Dunno - not that close to it :-O
>
> Is the network segmented or isolated from other more sensitive areas
> of the network?
Yes, very much so
>
> Are campus staff also employing the use of firewalls and anti-virus
> gateways to help protect the network?
Steve Welsh wrote:
> No, it's not done every morning, but it is at least done once, when they
> arrive on campus. They even supply AV to those students without (on our
> site license). That way they can at least _start_ the academic year
> without the network coming under attack.
>
> Students are also not allowed to plug their laptops into the normal
> campus sockets - they are only allowed to plug in to a special network
> (colour coded patresses).
>
> Steve
>
> Geir Holmavatn wrote:
>
>>"Steve Welsh" <sjw@stevew.net> skrev i melding
>>news:KfmdnRo1JccT96HenZ2dnUVZ8qqdnZ2d@eclipse.ne t.uk...
>>
>>
>>>Geir Holmavatn wrote:
>>>
>>>
>>>
>>>>We cannot check their anitvirus maintenance etc centrally.
>>>
>>>Why not? An educational institution that I know has grown so concerned
>>>that they are checking a huge number (into 4 figures) of student
>>>machines, and not a single student will have their services enabled
>>>until they can prove that they have a clean machine with up-to-date
>>>anti-virus software fitted.
>>
>>
>>OK, do you know how they practically do this? Employ staff who check it
>>every morning...?
>>
>>Geir
>>
>>
Or you can employ CE edition with slight markup for students and deploy
corporate edition with a console..even with the markup..cost will be
lower to students than COTS product will cost students. Additional
bonus is AV won't time out during year and leave you a vulnerability
hole. Set it up so it checks when student logs on for current defs and
centrally get virus reports and whose av is operational. This also
reduces bandwidth requirements as defs are retrieved from internal
server. Server doesn't need to be much more than dedicated hardened pc.
Mark up CE licenses say by 10$ and you should be able to cover cost of
pc and service.,depending on number of students involved. This will
cost student about half of traditional cots av/firewall package. The
console will highlight issues and client rules can be centrally
controlled with minimal effort. Add one of several open source packages
to push patches or ensure that win update is turned on..and your 90%
there. Several Linux flavors also have auto update capabilities, but
don't know influence you have for Linux boxes.
The eliminates major staff effort and probably can be managed by techy
in charge of network.
On Fri, 30 Sep 2005 23:15:59 +0100, Steve Welsh <sjw@stevew.net>
wrote:
<snipped>
>If they take on 'the' site license software and they are connected to
>the campus network, it's done automatically. But in any case it is many
>orders of magnitude better than just a couple of years ago, when the
>protection was _zero_ :(
Yeah, there always has to be a starting point. As long as no-one gets
complacent about it and thinks "Well, we've done our bit and that's
all we have to do".
> What about security
>> patches? Are campus staff insisting that they also use firewalls?
>
>They are behind the campus firewall anyway
My concern would be more about what was happening on the internal
network
>> Exactly how much is managed by the campus staff and how much is left
>> in the hands of the users?
>>
>> How do campus staff enforce these policies and ensure that they are
>> adhered to?
>
>Dunno - not that close to it :-O
Ahh.
>> Is the network segmented or isolated from other more sensitive areas
>> of the network?
>
>Yes, very much so
That's always good. :-)
>> Are campus staff also employing the use of firewalls and anti-virus
>> gateways to help protect the network?
>
>As above
The questions I asked are more or less the same questions that the
Library I'm currently contracting at will find itself in very shortly
(and to a lesser degree, the situation they are already in).
Currently, our staff are using the same servers (Citrix environment)
and network as the library patrons. The really cluey patrons out
there can literally access many of the same services that staff
access, even though we've tried to nail them down as much as possible.
Unfortunately, being a Gov entity, there are so many levels of
beaurocracy that it's not funny. When I first walked in (a few months
back) I looked at the current setup and said "Oh, my freaking god"
(substitute "freaking" for another word ;-P ).
Because the Library is supposed to be "open" for the patrons and
because senior management believe in enforcing this "openness" (at the
cost of security), we are in a constant struggle to stay on top.
They have plans to introduce wireless access for the patrons once the
new building is opened up, and we are going to find ourselves in a
similar position to that which was described in the OP's first post,
and your response. :-(
Hopefully, senior management will listen to what we have to say - but
I suspect they won't. :-(
Students' computers... 
Linear Mode
