From: Paul Southerington (psouther@mbc.edu)
Date: Tue Aug 26 2003 - 11:21:27 CDT
We're doing basically the same thing with a couple of
minor twists.
One is that we are allowing windowsupdate.microsoft.com
and it's related addresses to resolve properly, so students
can run windows update before they register.
We still scan them before they can get online, and supply
the specific MS03-026 patch if appropriate.
The other is that we're issuing a /32 netmask, in order
to force all traffic to the router until they've
registered. Macs are exempted because they don't play
well with that netmask. We identify the Macs by
the string 'Mac' at the beginning of their
vendor-client-id option in dhcp, or by their having
an ethernet prefix that is registered to Apple.
The reason for the netmask games is because we still
have hubs in many of the dorms. This tells the
Windows machines to send all traffic through the router,
where we can apply our filtering. (That's an additional
load on the router, but in our environment it is not
a problem). Essentially, it's a paranoia measure to
block the spread of Blaster within a specific subnet.
If anyone is interested in the specific dns zone
files or dhcpd.conf options, drop me an email off-list
and I can provide them.
On Tue, Aug 26, 2003 at 10:13:20AM -0400, Eric Gauthier wrote:
> Hello,
>
> Boston University is experimenting with something very similar, though our
> students don't really return until next weekend.
>
> Eric Gauthier
> Network Engineer
> 617-353-8218 ~^~ elg@bu.edu
> Boston University - Office of IT
>
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:40 CDT