+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 32
How do you do....it? Thread, Students bringing in own laptops in Technical; Geoff - what do you use for compliance checking (patchlevel, AV etc) with packetfence?...
  1. #16

    Join Date
    Oct 2007
    Location
    Lincolnshire
    Posts
    133
    Thank Post
    0
    Thanked 22 Times in 22 Posts
    Rep Power
    17
    Geoff - what do you use for compliance checking (patchlevel, AV etc) with packetfence?

  2. #17

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,155
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by russdev View Post
    As said main thing if what ever we think we are all going to go that way.

    So we need to look at options and get commitment from slt to spend money to invest in it.

    But like most things this costs money.
    Agreed.

    I'm old enough to remember the days when everyone was dead set against the idea of people bringing their own calculators into school; no-one could see value in them, they were just a waste of time, money etc etc. Not sure that anyone takes that view any longer.

    Users will need to use their own equipment in school. It will be difficult to do and it will cost money (but maybe not much) and I think anyone whose attitude is just a blanket "no" is going the wrong way.

    As others have said, 802.1x will make it possible to trace who is connecting to your network and where. Windows Server Network Access Protection makes it possible to control which machines get access to what on the network.

  3. #18

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    I have port security enabled on our Cisco switches for nearly all network outlets.. so they can try and patch in an unauthorised laptop but the switch port will shut down.

    On the wireless side creating a seperate vlan & ssid for untrusted machines will solve any security issues you have as you can (providing you have the switches to do it) just setup some ACLS permitting exactly what traffic is allowed to flow from the untrust vlan to the network.

    I just allow:

    dhcp, dns and tcp port 8080 ONLY going to the proxies ip address - everything else is dropped / denied.

  4. #19
    amfony's Avatar
    Join Date
    Jul 2007
    Location
    Sydney
    Posts
    161
    Thank Post
    29
    Thanked 13 Times in 13 Posts
    Rep Power
    17
    Quote Originally Posted by keithu View Post
    Geoff - what do you use for compliance checking (patchlevel, AV etc) with packetfence?

    I too am interested on this answer. PacketFence works well with Nessus, but that requires credentials to interogate the foreign system i believe.

    Ive just had this same discussion but i could not find a solution that could provide compliance checking without some requirement for credntials (and rightly so).

  5. #20
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    For people that are worried about viruses and such could you try something like Cisco CleanAgent (sorry i've never looked into it, so i can't think of other names, costs ect and just going by what i've read on forums and such) in which each laptop has a client installed and when you start up and want network access it checks against the server to see if you meet the requirements (eg: antivirus packages up to date, os patches ect installed) that you have set up as the rules and if you don't it won't let you access the net.

  6. #21
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by srochford View Post
    As others have said, 802.1x will make it possible to trace who is connecting to your network and where. Windows Server Network Access Protection makes it possible to control which machines get access to what on the network.
    And what product would you recommend to ensure they're not launching DoS attacks and such like from their laptops?

    Here's a thought, albeit an unlikely one - where would the school stand if students hacked MI5 or wherever from a personally-owned PC over the school-provided Internet connection?

    As an aside, I trust all those of you who are allowing this are PAT testing the laptops first...

  7. #22

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    Quote Originally Posted by NickJones View Post
    And what product would you recommend to ensure they're not launching DoS attacks and such like from their laptops?
    I recommend the Mk.5 Headteacher product from NAHT Systems to instil discipline and suspend pupils who abuse their access privileges.

    Sarcasm, moi? Perhaps, but not everything is best solved with technology. Sometimes explaining the rules and sanctions, and following through on them, is all you need. We have never had a problem with this and we have more than 200 students machines permitted to connect to our network. It probably helps that our student VLAN allows traffic on only a very select few ports and to very few servers. About all they could attack would be the proxy server and intranet web server on their HTTP ports, which would be tracked back to their computers extremely quickly.

    On a serious note I would also be interested in what IDS systems people would recommend, specifically for detecting DoS, since I understand that is an area of a weakness with Snort.

  8. #23

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Quote Originally Posted by keithu View Post
    Geoff - what do you use for compliance checking (patchlevel, AV etc) with packetfence?
    The first thing a correctly patched and functioning machine will attempt to do is check in with Windows Update/WSUS and it's AV vendors update website. You can catch this traffic with snort rules.

    Additionally one can attempt obvious well known exploits with Nessus.

    Finally if the machine is infected with something nasty, snort will likely see it trying to do whatever it does via it's standard rules.

    Failing all of that, make sure your port security is set so the machine cannot communicate with other machines on the VLAN (much like you would do on a WiFi LAN) that way you can at least prevent an infection spreading (As the machine would only be able to talk to the default gateway, the proxy and the dns/dhcp servers, all of which you control and have kept patched!).

    And what product would you recommend to ensure they're not launching DoS attacks and such like from their laptops?
    Assuming you enable the rules in snort, packetfence will boot people off for doing stupidity like this.

  9. #24

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,934
    Thank Post
    138
    Thanked 290 Times in 210 Posts
    Rep Power
    193
    Geoff,

    Do you use packetfence-zen or std?

    How does the supported switch element work? We only have HP switches, our router is an unsupported xl, and a 5400 is connected to the Vi3 hosts I would put the zen box on. Would it need to be a physical box plugged into a supported switch? (we have 2500s and 2600s scattered around the school).. we currently have manually vlans set up around the school all going back to the hp-xl.

  10. #25

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Standard.

    I don't use the VLAN method as I'm in the same boat as you. I have some crummy old 3com swtiches that aren't supported.

  11. Thanks to Geoff from:

    Theblacksheep (17th May 2009)

  12. #26

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,922
    Thank Post
    709
    Thanked 551 Times in 366 Posts
    Blog Entries
    3
    Rep Power
    204
    Quote Originally Posted by NickJones View Post
    And what product would you recommend to ensure they're not launching DoS attacks and such like from their laptops?

    Here's a thought, albeit an unlikely one - where would the school stand if students hacked MI5 or wherever from a personally-owned PC over the school-provided Internet connection?

    As an aside, I trust all those of you who are allowing this are PAT testing the laptops first...
    Key here is don't need to pat test as long as they do not plug the device into a school mains socket.


    Russ

  13. #27
    rh91uk's Avatar
    Join Date
    Sep 2008
    Location
    UK
    Posts
    877
    Thank Post
    137
    Thanked 132 Times in 114 Posts
    Rep Power
    36
    We have one kid, who has serverly got special needs, who has permission to bring in his laptop. We make him sign a slightly edited AUP with an extra cause about not connecting it to the network. He has tried to connect it once again, and, then, it was taken out of our hands and delt with by our LMT.

  14. #28

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    Th way we have approached is to use setup a vlan and use radius server to authenticate users using their normal network logon. This cuts out the hassle of them remember yet another login.

    In the vlan we have setup a simple (desktop PC) DNS and DHCP server which is allowed to talk to the internal DNS server only. This hands out DNS and DHCP info to the sixthform student's devices.

    For security the DG is setup to point to out ISA server (a NIC dedicated to the wifi network) so we can create and lock down the vlan traffic. In additon i also created some ACLs on the switch for this particular vlan so it only allows HTTP, HTTPS, DNS to the outside world. The fact that the traffic is going through our proxy server which has our web filtering software installed is that we can create web filtering rules so they can only get to certain sites.

    The radius server setup we use is the MS IAS 2003 with PEAP authentication. We used our own CA to issue the certificate to the radius server. Students come in with their laptop to be configured on the wifi network, they are not allowed to do this themselves. During the setup we copy the CA's Root certificiate to the student's laptops so our CA is trusted during PEAP process.

    The students have to sign the form which has their name, serial number of their laptop/device and a signature of the technician who setup the wireless network. It also records the wireless mac address of the device as well.

    The above works well and it didn't really cost that much as the DHCP/DNS server is a old desktop station that was taken out of classroom due to low spec.

    Let me know if you want more information.

    Ash.

  15. #29
    NewOrder's Avatar
    Join Date
    Mar 2007
    Location
    Stafford
    Posts
    195
    Thank Post
    10
    Thanked 18 Times in 17 Posts
    Rep Power
    19
    Like a number of people have said this is the way forward. The issue is not a yes or no but how we ensure it happens in a safe and secure way which is easy for the user.

    Start to think about the future and look at the big picture, technology changes and it will change how we do things. Don't look at it as doing old things in new ways but as new things in new ways. Ask yourself how mackie "D" does it? How it allows people on to its wifi but also uses the system for its business.

    There are people pushing the idea, do schools need a network as such, do they need servers on site?

    Why not use cloud computing and SAAS. Why buy computers give everyone a voucher ?

  16. #30

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,922
    Thank Post
    709
    Thanked 551 Times in 366 Posts
    Blog Entries
    3
    Rep Power
    204
    I have got an unpublished article that I wrote while back may tidy it up and publish it. Gist of it is that pupil computer schemes be that Computer for pupils or the usa one-to-one agenda are just not viable in the long term heck the laptop for teacher programme in uk proved that buy everybody a computer what do you you do 3/4 years down line where does replacement come from.

    So next thing we have to do it looking at secure and safe way of doing it. But then another arugment to all this is we can never do it complete secure way and inexpensive way. So we then have to look at the bigger picture of digital literacy.

    Russ

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Laptops for students
    By jcollings in forum How do you do....it?
    Replies: 64
    Last Post: 2nd February 2009, 07:32 PM
  2. Bringing Linux To The Students
    By Pear in forum *nix
    Replies: 20
    Last Post: 27th June 2006, 12:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •