From: Steve Hideg (hideg@saintmarys.edu)
Date: Wed Dec 24 2003 - 00:15:16 CST
Agreed, since DHCP is a totally client-initiated protocol, the only
thing close to "real-time" client control via DHCP is tweaking the
lease times and depending on the clients to request renewals in a
timely manner.
We shouldn't forget that DHCP isn't a security control mechanism (or
one could say it's an extremely weak one). My mods to netreg--as well
as netreg itself-- rely on DHCP compliance from the customer. That
hasn't been a problem with us fortunately. This is one of the few
times I welcome a higher level of ignorance on the part of the user
community.
Of course, shutting off the physical port is weak too, as the user
can simply try another one (perhaps not terribly conveniently). Using
DHCP prevents the machine from using any network jack, but it's still
very weak security.
So, you may want to use them together, as you said.
Our network admin has been looking into Perfigo network management products:
http://www.perfigo.com/prod_smartmanager.html
Though he was ostensibly considering it for our wireless
implementation, it can be used for wired networks as well (though
there are performance considerations since all packets to/from
managed ports have to go through the server(s) hardware and software).
With perfigo, you can ban a MAC address from all managed ports (or
only allow certain services, redirect to web pages, etc.) amongst
other things. You can also force user authentication to even use the
network at all (therefore, you can ban or limit specific users as
well as MAC addresses).
Anyway, we're brainstorming now to see how we might integrate netreg
and perfigo.
Our net admin likes netreg a lot. He's thinking of (me) implementing
it in some fashion for our entire campus.
++Steve
At 3:07 PM -0600 12/23/03, Frank Bulk wrote:
Chris:
You could automatically disable their port until the lease time has
expired, and then re-enable it.
Regards,
Frank
>>> cwieri39@calvin.edu Tuesday, December 23, 2003 2:46:13 PM >>>
>I did a presentation on my enhancements to netreg (including a virus
>"jail") at the 2003 ResNet conference.
>
>The presentation (in various formats) and source code are freely available
at:
>
>
><http://www.saintmarys.edu/~hideg/netreg/>http://www.saintmarys.edu/~hideg/netreg/
>
>
>Since that conference, I've enhanced the blocking mechanism further.
>Our administrators can now specify virus, DMCA, windows patch level,
>and a generic blocking reason, each with its own web page to redirect
>blocked machines to.
I am thinking about implementing NetReg on our ResNet and one of the big
things I'm concerned with is Virus Blocking. One of the Virus Blocking Caveats
mentioned in this presentation is Lease Time considerations. A virus like
Welchia can easily rip throu! gh a ResNet within just a few minutes.
Does anyone
have any additional suggestions in quickly quarantining a machine that would
work better than waiting for the lease to expire? I really don't want to have
to have a 10 minute lease just to make quarantining users a bit quicker...
We have been using a home grown port-based registration system for about 5
years now. Since we have all Cisco equipment and have mapped all our ResNet
ports to the switch, we can quickly enable / disable ports for registration and
virus blocking. I'm afraid that when we move to NetReg I am going to regret
not having the ability to quickly turn off a port like I do now. I'd also not
have to quickly disable / re-enable a switch port in order to get the infected
machines to drop their lease more quickly.
Thanks for the insights.
Chris Wieringa
<mailto:cwieri39@calvin.edu>cwieri39@calvin.edu
Network Systems Engineer
Calvin Col! lege
**********************************************************************
To unsubscribe from this list, send an e-mail message to
<mailto:majordomo@southwestern.edu>majordomo@southwestern.edu
containing a single line with the words:
unsubscribe netreg
Send requests for assistance to:
<mailto:owner-netreg@southwestern.edu>owner-netreg@southwestern.edu
**********************************************************************
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:43 CDT