LinkBack URL
About LinkBacksGeoff - what do you use for compliance checking (patchlevel, AV etc) with packetfence?
Geoff - what do you use for compliance checking (patchlevel, AV etc) with packetfence?
Agreed.Originally Posted by russdev
I'm old enough to remember the days when everyone was dead set against the idea of people bringing their own calculators into school; no-one could see value in them, they were just a waste of time, money etc etc. Not sure that anyone takes that view any longer.
Users will need to use their own equipment in school. It will be difficult to do and it will cost money (but maybe not much) and I think anyone whose attitude is just a blanket "no" is going the wrong way.
As others have said, 802.1x will make it possible to trace who is connecting to your network and where. Windows Server Network Access Protection makes it possible to control which machines get access to what on the network.
I have port security enabled on our Cisco switches for nearly all network outlets.. so they can try and patch in an unauthorised laptop but the switch port will shut down.
On the wireless side creating a seperate vlan & ssid for untrusted machines will solve any security issues you have as you can (providing you have the switches to do it) just setup some ACLS permitting exactly what traffic is allowed to flow from the untrust vlan to the network.
I just allow:
dhcp, dns and tcp port 8080 ONLY going to the proxies ip address - everything else is dropped / denied.
I too am interested on this answer. PacketFence works well with Nessus, but that requires credentials to interogate the foreign system i believe.
Ive just had this same discussion but i could not find a solution that could provide compliance checking without some requirement for credntials (and rightly so).
For people that are worried about viruses and such could you try something like Cisco CleanAgent (sorry i've never looked into it, so i can't think of other names, costs ect and just going by what i've read on forums and such) in which each laptop has a client installed and when you start up and want network access it checks against the server to see if you meet the requirements (eg: antivirus packages up to date, os patches ect installed) that you have set up as the rules and if you don't it won't let you access the net.
And what product would you recommend to ensure they're not launching DoS attacks and such like from their laptops?
Here's a thought, albeit an unlikely one - where would the school stand if students hacked MI5 or wherever from a personally-owned PC over the school-provided Internet connection?
As an aside, I trust all those of you who are allowing this are PAT testing the laptops first...
I recommend the Mk.5 Headteacher product from NAHT Systems to instil discipline and suspend pupils who abuse their access privileges.
Sarcasm, moi? Perhaps, but not everything is best solved with technology. Sometimes explaining the rules and sanctions, and following through on them, is all you need. We have never had a problem with this and we have more than 200 students machines permitted to connect to our network. It probably helps that our student VLAN allows traffic on only a very select few ports and to very few servers. About all they could attack would be the proxy server and intranet web server on their HTTP ports, which would be tracked back to their computers extremely quickly.
On a serious note I would also be interested in what IDS systems people would recommend, specifically for detecting DoS, since I understand that is an area of a weakness with Snort.
The first thing a correctly patched and functioning machine will attempt to do is check in with Windows Update/WSUS and it's AV vendors update website. You can catch this traffic with snort rules.
Additionally one can attempt obvious well known exploits with Nessus.
Finally if the machine is infected with something nasty, snort will likely see it trying to do whatever it does via it's standard rules.
Failing all of that, make sure your port security is set so the machine cannot communicate with other machines on the VLAN (much like you would do on a WiFi LAN) that way you can at least prevent an infection spreading (As the machine would only be able to talk to the default gateway, the proxy and the dns/dhcp servers, all of which you control and have kept patched!).
Assuming you enable the rules in snort, packetfence will boot people off for doing stupidity like this.And what product would you recommend to ensure they're not launching DoS attacks and such like from their laptops?
Geoff,
Do you use packetfence-zen or std?
How does the supported switch element work? We only have HP switches, our router is an unsupported xl, and a 5400 is connected to the Vi3 hosts I would put the zen box on. Would it need to be a physical box plugged into a supported switch? (we have 2500s and 2600s scattered around the school).. we currently have manually vlans set up around the school all going back to the hp-xl.
Standard.
I don't use the VLAN method as I'm in the same boat as you. I have some crummy old 3com swtiches that aren't supported.
Theblacksheep (17th May 2009)
Key here is don't need to pat test as long as they do not plug the device into a school mains socket.
Russ
We have one kid, who has serverly got special needs, who has permission to bring in his laptop. We make him sign a slightly edited AUP with an extra cause about not connecting it to the network. He has tried to connect it once again, and, then, it was taken out of our hands and delt with by our LMT.
Th way we have approached is to use setup a vlan and use radius server to authenticate users using their normal network logon. This cuts out the hassle of them remember yet another login.
In the vlan we have setup a simple (desktop PC) DNS and DHCP server which is allowed to talk to the internal DNS server only. This hands out DNS and DHCP info to the sixthform student's devices.
For security the DG is setup to point to out ISA server (a NIC dedicated to the wifi network) so we can create and lock down the vlan traffic. In additon i also created some ACLs on the switch for this particular vlan so it only allows HTTP, HTTPS, DNS to the outside world. The fact that the traffic is going through our proxy server which has our web filtering software installed is that we can create web filtering rules so they can only get to certain sites.
The radius server setup we use is the MS IAS 2003 with PEAP authentication. We used our own CA to issue the certificate to the radius server. Students come in with their laptop to be configured on the wifi network, they are not allowed to do this themselves. During the setup we copy the CA's Root certificiate to the student's laptops so our CA is trusted during PEAP process.
The students have to sign the form which has their name, serial number of their laptop/device and a signature of the technician who setup the wireless network. It also records the wireless mac address of the device as well.
The above works well and it didn't really cost that much as the DHCP/DNS server is a old desktop station that was taken out of classroom due to low spec.
Let me know if you want more information.
Ash.
Like a number of people have said this is the way forward. The issue is not a yes or no but how we ensure it happens in a safe and secure way which is easy for the user.
Start to think about the future and look at the big picture, technology changes and it will change how we do things. Don't look at it as doing old things in new ways but as new things in new ways. Ask yourself how mackie "D" does it? How it allows people on to its wifi but also uses the system for its business.
There are people pushing the idea, do schools need a network as such, do they need servers on site?
Why not use cloud computing and SAAS. Why buy computers give everyone a voucher ?
I have got an unpublished article that I wrote while back may tidy it up and publish it. Gist of it is that pupil computer schemes be that Computer for pupils or the usa one-to-one agenda are just not viable in the long term heck the laptop for teacher programme in uk proved that buy everybody a computer what do you you do 3/4 years down line where does replacement come from.
So next thing we have to do it looking at secure and safe way of doing it. But then another arugment to all this is we can never do it complete secure way and inexpensive way. So we then have to look at the bigger picture of digital literacy.
Russ
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
