From: Todd K. Watson (tkw@southwestern.edu)
Date: Tue Apr 17 2001 - 00:24:20 CDT
> Well, as Peter has said (to me, at least), netreg is not a security
> system. It depends on client machines cooperating by using DHCP.
Absolutely.
> I don't know much about snmp, but I would imagine it also requires a
> degree of cooperation from the clients (Install some sort of agent on
> the client? I invite someone more knowledgeable comment on this).
I think the prospects of having each client run an snmp agent on their
system is not feasible or reliable.
> The only thing you can do to enforce compliance is to block all
> non-registered IP addresses with your network router(s). You'd have
> to get netreg to programmatically communicate with the router(s) to
> enable addresses as they get registered. (I've been wanting to look
> into possible netreg-CISCO router communication, but I ran out of
> those "round-to-it" thingies :-/ ).
That's the direction I would go. To take it a step further, it would be
non-trivial, but possible, to setup your NetReg'ed machines behind a
host-based firewall system (a BSD or linux variant would be
easy/cheap). You could then have that box build IP-chains firewall
rules based on your NetReg's dhcp conf file of registered clients. You
could build in additional tools and intelligence as needed, which would
not be possible on a legacy router without doing a ton of SNMP updates.
Todd
>
> At 10:48 PM -0500 4/16/01, Nick Ciesinski wrote:
> >We have it set up right now that some of our buildings have just enough IP's
> >to cover each port, but not any more then that. The problem is that some
> >students are bringing more then one PC to school with them (if not 3!). We
> >want to have it so a student can not have a 2nd PC in the room to help
> >reduce the possibility of exhausting the available IP's in a subnet. Does
> >anyone know a way that this can be done?? I know I can only let a user
> >register once, but what's to stop the user from walking down that hall and
> >asking someone without a computer for them to register the machine for them.
> >I am looking for a way that the user can not bypass the restriction. I was
> >thinking something with SNMP but couldn't think of anything that may work.
> >I figured I would ask you to see if anyone else has any ideas.
> >
> >Thanks,
> >
> >Nick Ciesinski
> >University Wisconsin Whitewater
> >Residence Life Computing
> >
> >**********************************************************************
> >To unsubscribe from this list, send an e-mail message to
> >majordomo@southwestern.edu containing a single line with the words:
> >unsubscribe netreg
> >Send requests for assistance to: owner-netreg@southwestern.edu
> >**********************************************************************
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
--
Todd K. Watson
Senior System & Network Administrator
Southwestern University, Georgetown, TX
tkw@southwestern.edu || TEL:512.863.1508 || FAX:512.863.1605
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:35 CDT