+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 32
How do you do....it? Thread, Students bringing in own laptops in Technical; Just wondering what the policy is with you guys with 6th formers bringing in their own laptops? personally, i think ...
  1. #1

    Join Date
    Oct 2008
    Posts
    9
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Students bringing in own laptops

    Just wondering what the policy is with you guys with 6th formers bringing in their own laptops?

    personally, i think we shouldn't allow it (since there is no real way to prevent them from plugging their laptop into a normal outlet and being able to access the network). i know we could have separate access points for them on a separate vlan, but i don't think that really solves the security issue.

  2. #2
    simpsonj's Avatar
    Join Date
    Apr 2009
    Location
    Oxford
    Posts
    414
    Thank Post
    168
    Thanked 71 Times in 60 Posts
    Blog Entries
    8
    Rep Power
    23
    It is, however, the way things are headed at present. I have year 10 and 11 kids bringing in their own laptops, but thankfully not connecting to the network as yet.

    We're planning on implementing a managed wireless solution, so that kids can connect to our (censored) internet without touching the main network at all. However, this is some ways off.

    In the mean time, a whitelist of MAC addresses might be a way dealing with the issue, as long as kids don't get smart enough to spoof a MAC address...

    Still leads to a potential problems down the line if students start asking for technical help, or even worse, schools start to lend laptops out to its students which you then have to build/fix/purchase.

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Quote Originally Posted by Rod_Mustard View Post
    Just wondering what the policy is with you guys with 6th formers bringing in their own laptops?

    personally, i think we shouldn't allow it (since there is no real way to prevent them from plugging their laptop into a normal outlet and being able to access the network). i know we could have separate access points for them on a separate vlan, but i don't think that really solves the security issue.
    You could set your switches to only allow trusted mac addresses. Also setup your firewall to only allow connections from your proxy. If you have setup permissions on folders there wont be anything they can do really.

  4. #4

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    246
    Quote Originally Posted by Rod_Mustard View Post
    since there is no real way to prevent them from plugging their laptop into a normal outlet and being able to access the network
    Is that the facility that RADIUS provides - stops people connecting random devices to your network? MAC addresses can be spoofed (just plug in a home broadband router, most of them will alow you to set the MAC address and/or copy another machine's MAC address) and you can create havoc (and examine network data) by setting the IP address of a machine to the same as that used by your gateway.

    --
    David Hicks

  5. #5

    Join Date
    Oct 2008
    Posts
    9
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by FN-GM View Post
    You could set your switches to only allow trusted mac addresses. Also setup your firewall to only allow connections from your proxy. If you have setup permissions on folders there wont be anything they can do really.
    We're quite a big school - over 1000 workstations and laptops - i think adding all those mac addresses to our switches would be unmanageable and indeed futile. as has been mentioned, it's easy to fake the mac address anyway, and even if i went down the route of a vlan and giving the pupils a separate 'untrusted' outlet and access point for their wireless there is nothing to stop them from unplugging one of our machines and launching a denial of service attack on one of our windows servers (for instance) from a 'trusted' network socket.

    it's a difficult one, i say ban all outside laptops, but as you know, it's quite difficult to convince the upper echelons.

  6. #6

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,964
    Thank Post
    139
    Thanked 291 Times in 211 Posts
    Rep Power
    193
    Quote Originally Posted by Rod_Mustard View Post
    ait's easy to fake the mac address anyway, and even if i went down the route of a vlan and giving the pupils a separate 'untrusted' outlet and access point for their wireless there is nothing to stop them from unplugging one of our machines and launching a denial of service attack on one of our windows servers (for instance) from a 'trusted' network socket.
    Doesnt a radius server prevent this?

    i.e. unplugging your 'trusted' computer and plugging in an unknown/student laptop to a 'trusted' port would make the port automatically 'untrusted'?

  7. #7
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,497
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    We have a very clear - SLT-approved - policy preventing anyone attaching their own equipment to our network. No ifs, no buts, no exceptions (we have even pulled an SLT member up on it when they forgot about it). The risk posed by unmanaged laptops which could (probably don't, but could) contain any number of viruses, hacking tools, packet tracers etc is simply unacceptable.

    Our Sixth Formers have a wireless point in their building which permits them Internet access and nothing more, they then use our remote access to connect back in for any files they need (that is MAC controlled, so only known laptops connect to it).

  8. #8

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,985
    Thank Post
    735
    Thanked 559 Times in 374 Posts
    Blog Entries
    3
    Rep Power
    206
    As said main thing if what ever we think we are all going to go that way.

    So we need to look at options and get commitment from slt to spend money to invest in it.

    So in terms think best option is vlaned wireless network for students with some kind of security layer that disables access unless it passes certain tests.

    But like most things this costs money.

    Russ

  9. Thanks to russdev from:

    srochford (14th May 2009)

  10. #9

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    We already do this. Our entire network - wireless AND wired - is completely VLANed using 802.1x to authenticate. Domain workstations authenticate via EAP-TLS using their domain certificate that they receive through AD, and student's own machines authenticate via PEAP using their normal network username and password. The very few devices that don't support 802.1x (network printers, mostly) have 'tagged' network ports assigned to a particular VLAN that only allow access from a single MAC address, and connect to a restricted VLAN.

    Which VLAN anything else connects to depends on what group they are joined to in the AD. All students connect to our 'Guest' VLAN which is heavily restricted.

    We first implemented this 2 years ago, and there was some pain at first - XP SP2's implementation of 802.1x on wired connections was a bit hit and miss. Since Microsoft backported the Vista implementation in SP3, it's been much better. We haven't looked much at NAP yet, but it's certainly an option now we have everything else set up.

  11. Thanks to AngryTechnician from:

    Theblacksheep (14th May 2009)

  12. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    We implement Network Access Control via Packetfence. It controls access and monitors machines connecting to our network. Providing the user operating the foreign machine can provide valid login credentials and the machine passes our policy checks (patched up to date, running AV, firewall, not a games console) it gets let on the net (DNS and HTTP/HTTPS only).

    PacketFence: Home

  13. 4 Thanks to Geoff:

    dalsoth (14th May 2009), dhicks (14th May 2009), Theblacksheep (14th May 2009), User3204 (17th May 2009)

  14. #11

    Join Date
    Mar 2006
    Location
    Cheadle, Staffs
    Posts
    41
    Thank Post
    4
    Thanked 3 Times in 3 Posts
    Rep Power
    18
    will read thru this all in a sec but would their laptops all not have to be PAT tested (well the power supply). which would give me the argument not to allow it as to be honest i hate PAT testing and cba test X amount of students equip when the establishment offers X amount of ICT equip

  15. #12
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    @ Geoff - what ingrastructure do you use along with the Packetfence do you need to have a VLAN in place to put the notebook into untill it is approved?

  16. #13

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,985
    Thank Post
    735
    Thanked 559 Times in 374 Posts
    Blog Entries
    3
    Rep Power
    206
    Quote Originally Posted by gibboap View Post
    will read thru this all in a sec but would their laptops all not have to be PAT tested (well the power supply). which would give me the argument not to allow it as to be honest i hate PAT testing and cba test X amount of students equip when the establishment offers X amount of ICT equip
    No as long as students sign to say that they are liable etc aka you are acting like a wireless hotspot in a pub and they do not need to be pat tested.

    I might get shot down for this but maybe we should be looking at how we can do it overcome any issues and not excuses not to do it.

    Russ

  17. #14

    Join Date
    Oct 2008
    Posts
    9
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by AngryTechnician View Post
    We already do this. Our entire network - wireless AND wired - is completely VLANed using 802.1x to authenticate. Domain workstations authenticate via EAP-TLS using their domain certificate that they receive through AD, and student's own machines authenticate via PEAP using their normal network username and password. The very few devices that don't support 802.1x (network printers, mostly) have 'tagged' network ports assigned to a particular VLAN that only allow access from a single MAC address, and connect to a restricted VLAN.

    Which VLAN anything else connects to depends on what group they are joined to in the AD. All students connect to our 'Guest' VLAN which is heavily restricted.

    We first implemented this 2 years ago, and there was some pain at first - XP SP2's implementation of 802.1x on wired connections was a bit hit and miss. Since Microsoft backported the Vista implementation in SP3, it's been much better. We haven't looked much at NAP yet, but it's certainly an option now we have everything else set up.
    this seems like a good way forward- how difficult was this to implement?

  18. #15

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Quote Originally Posted by cookie_monster View Post
    @ Geoff - what infrastructure do you use along with the Packetfence do you need to have a VLAN in place to put the notebook into untill it is approved?
    You can do it one of three ways:

    1) via DHCP, which requires Packetfence to operate as your DHCP server.
    2) via ARP poisoning, which requires nothing special
    3) via VLANs, which requires managed switches.

    I use #2.



SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Laptops for students
    By jcollings in forum How do you do....it?
    Replies: 64
    Last Post: 2nd February 2009, 08:32 PM
  2. Bringing Linux To The Students
    By Pear in forum *nix
    Replies: 20
    Last Post: 27th June 2006, 01:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •