Firewall with MAC address ACL that is dynamic

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Any input is appreciated!

We are a small college in Kansas and need a way to force our users in
the dormitories to install our McAfee VirusScan software. We won't be
able to physically install it, or put them into a domain. Here is our
plan so far.

We have created a silent install of VirusScan that runs a batch file
after completion. This batch file records the computer's MAC address
to a text file on a remote server. This server has a python script
that running frequently that can format the text file to our liking.

What we'd like is when the user first plugs in to our network and tries
to access a web site, they will get a default page (similar to what
most hotels have). This page will welcome them to our network and
provide a link to install the University supplied antivirus software.
After they approve the installation popups from their browser, they
would then have antivirus silently installed in the background. Their
computer would then automatically restart (via the batch file after
installation).

Now that their MAC address is in the text file on our server, we need
to allow them external network access. I've spoke with several people
about how to do this, but I'd really like more advice from others.

Right now our network looks like this:

4 T1's providing internet access to the "student network"
1 Tasman 1400 router (which is also the CSU for the T1's I think)
1 Cisco PIX 506E
Several Cisco 2900 series switches providing the network infrastructure
and a Windows 2000 DHCP server (which could also be a IIS web server)

We are prepared to build a new box to act as a proxy, firewall, or
router, which ever is needed. I'm not picky as to whether it is Linux
or Widnows.

We have a limited budget (almost $0).

If we can somehow get the PIX or tasman to redirect all trafic not
comming from MACs on our list to the web server with the download link,
then allow all traffic that IS on the MAC list, that would be perfect.
We just don't know how to set up a ACL or something that checks an
external list.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Well we HAVE to do something. Not ALL students have antivirus
installed, or don't update it regularly. We don't have the staff to
visit each machine to check for these things.

The problem is, that last spring our ISP was 2 days away from closing
our connection due to virus activity and traffic coming from our
network. Would it be better for us just to set up snort or something
on that network to detect virus/trojan activity? Then we would just
record the MAC address of the infected machine, and disable their port
on the Cisco switch? Then what..... tell the student they aren't
allowed back on until what? We would still have to go check their
machine wouldn't we? I'm really new to the University IT field (I
worked in healthcare before and didn't have to worry about students
rights). We get the McAfee cheap (like $1.25 each) for students
because of our site license for the campus network.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <1127925275.618407.237510@g14g2000cwa.googlegroups.com>,
bjriffel@hotmail.com says...
> We have created a silent install of VirusScan that runs a batch file
> after completion. This batch file records the computer's MAC address
> to a text file on a remote server. This server has a python script
> that running frequently that can format the text file to our liking.

Bad move- many people don't run or like McRappy software, and my
experience with OSU students is that it doesn't do anywhere near a good
job protecting students systems.

You also don't want to force anyone to install AV software when they may
already have another AV product installed.

--

spam999free@rrohio.com
remove 999 in order to email me

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <1127927212.246999.100000@g43g2000cwa.googlegroups.com>,
bjriffel@hotmail.com says...
> Well we HAVE to do something. Not ALL students have antivirus
> installed, or don't update it regularly. We don't have the staff to
> visit each machine to check for these things.

Yep, that's how we got the accounts for the OSU sororities - viruses
with SMTP engines.

Have you considered that you can stop outbound 135~139, 445, 1433,1434,
and even SMTP except from the Univ smtp server? If you do this, it's
about 90% of what goes outbound from kids machines.

> The problem is, that last spring our ISP was 2 days away from closing
> our connection due to virus activity and traffic coming from our
> network. Would it be better for us just to set up snort or something
> on that network to detect virus/trojan activity? Then we would just
> record the MAC address of the infected machine, and disable their port
> on the Cisco switch?

That's how we do it - we monitor ALL IPort traffic, if it is abnormal
we block their MAC/IP until they contact us They can get around the
local network, but no PUBLIC access until the problem is corrected.

> Then what..... tell the student they aren't
> allowed back on until what? We would still have to go check their
> machine wouldn't we? I'm really new to the University IT field (I
> worked in healthcare before and didn't have to worry about students
> rights). We get the McAfee cheap (like $1.25 each) for students
> because of our site license for the campus network.

If you have them install the AV software or get their machine cleaned -
doesn't matter how, then let them back out and see if it's still a
problem, then the second offense means they don't get connected until
they pay you to check/fix it.


--

spam999free@rrohio.com
remove 999 in order to email me

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <1127925275.618407.237510@g14g2000cwa.googlegroups.com>,
bjriffel@ho__tmail.com <bjriffel@hotmail.com> wrote:
:We are a small college in Kansas and need a way to force our users in
:the dormitories to install our McAfee VirusScan software.

Does your usage agreement prohibit non-Windows machines, or non-PCs ?
Did you manage to find McAfee VirusScan for Solaris, SGI IRIX,
Mac OS9, Mac OSX, Playstation, Blackberry, Palm Tungsten ?

:We have created a silent install of VirusScan that runs a batch file
:after completion. This batch file records the computer's MAC address
:to a text file on a remote server.

So if I change my NIC, or accidently connect into the second ethernet
port on my computer, or I install a firewall or router or wireless,
then I have to re-register? And in the case of a firewall or router,
the registration will fail because the MAC seen on the other side of the
device is not the same as the MAC of the computer?


:What we'd like is when the user first plugs in to our network and tries
:to access a web site, they will get a default page (similar to what
:most hotels have). This page will welcome them to our network and
rovide a link to install the University supplied antivirus software.
:After they approve the installation popups from their browser, they
:would then have antivirus silently installed in the background.

Unless, that is, they just copied a MAC address from another system,
seeing as nearly all systems these days have the capability...
Their
>computer would then automatically restart (via the batch file after
>installation).
>
>Now that their MAC address is in the text file on our server, we need
>to allow them external network access. I've spoke with several people
>about how to do this, but I'd really like more advice from others.
>
>Right now our network looks like this:
>
>4 T1's providing internet access to the "student network"
>1 Tasman 1400 router (which is also the CSU for the T1's I think)
>1 Cisco PIX 506E
>Several Cisco 2900 series switches providing the network infrastructure
>and a Windows 2000 DHCP server (which could also be a IIS web server)
>
>We are prepared to build a new box to act as a proxy, firewall, or
>router, which ever is needed. I'm not picky as to whether it is Linux
>or Widnows.
>
>We have a limited budget (almost $0).
>
>If we can somehow get the PIX or tasman to redirect all trafic not
>comming from MACs on our list to the web server with the download link,
>then allow all traffic that IS on the MAC list, that would be perfect.
>We just don't know how to set up a ACL or something that checks an
>external list.
>


--
Watch for our new, improved .signatures -- Wittier! Profounder! and
with less than 2 grams of Trite!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

bjriffel@ho__tmail.com <bjriffel@hotmail.com> wrote:
> We are a small college in Kansas and need a way to force our users in
> the dormitories to install our McAfee VirusScan software.

Why?

Most operating systems don't need such a software program. And if
people are good with Windows, then they don't need one either.

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

bjriffel@ho__tmail.com <bjriffel@hotmail.com> wrote:
> The problem is, that last spring our ISP was 2 days away from closing
> our connection due to virus activity and traffic coming from our
> network.

If users already have compromized systems, then installing an Anti-Virus
program will not solve this problem any more:

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

bjriffel@ho__tmail.com <bjriffel@hotmail.com> wrote:
> Would it be better for us just to set up snort or something
> on that network to detect virus/trojan activity?

Yes. You could use a sniffer to detect that and to block the IP of the
user and inform her/him.

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

 

[Speeder]

Archived from groups: comp.security.firewalls (More info?)

On 28 Sep 2005 10:06:52 -0700, "bjriffel@ho__tmail.com"
<bjriffel@hotmail.com> wrote:

>Well we HAVE to do something. Not ALL students have antivirus
>installed, or don't update it regularly. We don't have the staff to
>visit each machine to check for these things.
>
>The problem is, that last spring our ISP was 2 days away from closing
>our connection due to virus activity and traffic coming from our
>network. Would it be better for us just to set up snort or something
>on that network to detect virus/trojan activity? Then we would just
>record the MAC address of the infected machine, and disable their port
>on the Cisco switch? Then what..... tell the student they aren't
>allowed back on until what? We would still have to go check their
>machine wouldn't we? I'm really new to the University IT field (I
>worked in healthcare before and didn't have to worry about students
>rights). We get the McAfee cheap (like $1.25 each) for students
>because of our site license for the campus network.

Just on a side note, whatever you do, make sure you anticipate it with
some sort of communication campaign. Explain the problem, what is the
plan to correct it and what are the consequences of not complying.
Give time for them to digest it all and implement it in phases.

Your are dealing with people not computers. Education is really what
students need (backed by firm policies). By creating a healthful
relationship with your user base I'm sure you'll be closer to success
and contributing to their development to becoming responsible adults.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <1127927212.246999.100000@g43g2000cwa.googlegroups.com>,
bjriffel@ho__tmail.com <bjriffel@hotmail.com> wrote:
:The problem is, that last spring our ISP was 2 days away from closing
ur connection due to virus activity and traffic coming from our
:network.

:>We have a limited budget (almost $0)

Next time, allow the ISP to close the network connection, and
save up the ISP connection fees until you can afford to put in
a rateshapper or firewall with AV (but first send a CYA letter
to whoever has budget control, telling them this is what may happen.)

Unless it is your department's fault that you do not have sufficient
funding to do everything you are mandated to do, then pass the buck.
Make it clear to those above that they have made an administrative
decision in their budget allocations, and that those decisions can have
consequences, including loss of connectivity for several weeks or months.

*You* didn't make the decision on the budget, right? So in working
within the budget you have been given, you are following orders.
Your job is not to circumvent the orders, but rather to warn of the
consequences if the orders (budget) are not changed.
--
Watch for our new, improved .signatures -- Wittier! Profounder! and
with less than 2 grams of Trite!

 

[Guest]

This topic has been closed by Fihart