Resdence Halls at College

[VeeDubbs]

HI All -

This topic may have been visited once before, but I think I'm going to ask it again.

If at a college campus, what are you guys doing in your residence halls? For example, we have every student register their machine through NetReg. The NetReg agent checks their machines for Symantec Antivirus, virus definitions from within the past 30 days and other various things. The thing is, this is only for Windows machines. Computers with OS X or Linux just register, no running the agent. And all the gaming consoles are just registered by staff when the student fills out the appropriate paper work. All we really need is a MAC address -- and for all we know the student could have put the MAC of their computer -- we don't really check into it all that much.

What I'm getting at is, NetReg causes us (read me) a lot of grief. Especially the beginning of every year when Freshmen come in as do all the returning students. Long lines at the library with people needing help to get registered and yadda yadda yadda.

So, again, what is everyone else doing? Same thing basically? Nothing? Something much simpler?

I'd love to hear it!

 

[DeChache]

Sounds just like my campus. It sucks. our netreg software screws up on 64bit machines all the time. Oh well not my department.

 

[valve1138]

Would it be possible to have something like a 5 or 7 day grace period where you don't have to register, and then have people come in groups organized by student number, or the first letter of there last name?

Then once the grace period is over, if you haven't registered the student is blocked.

 

[KarFai]

At MSU we would just have people go online read the AUP after signing into our dhcp page, then the registration would be complete. We did do any big brother checking on people. At the same we didn't provide any support for routers or gaming consoles. So either you needed to have a browser on your console, or be intelligent enough to clone the mac to a computer to register that system, otherwise you were kind of stuck. Granted this was a school with 15k+ living on campus.

 

[calvinj]

A now co-worker use to be the director of IT at a local college here. The way that they did it was this:

Metro eNet Split 80/20 from campus / dorms.

Dorms were fed through an untangle virtual machine (at the time they were roughly 5-10 servers away from being completely virtual) on the network with the web filter for obvious reasons, and the reporting. If the students needed access to items on the local network they had to log into Citrix Web Gateway and access their student items that way. All secure with av and such for the internal network and the "dorm" access was segmented away from the schools regular network.


Another situation when I was going to school is the college provided wifi for all of the students and staff. Staff would get onto the wireless and if your mac address was in the Radius server you got access to all of the servers, mail and etc, but if your mac was not in the server you could only access the internet and if you wanted mail or other items you would have to log into the schools terminal server or owa for exchange.


Personally Here is what I would look at doing:

1. Segment (VLAN or physically move, sorry if this step is done) dorms from the regular campus network
2. Sign an acceptable use policy to not download illegal items, yadda yaddy yadda, your av has to be up to date, your pc screws up sorry
3. Talk with the isp and see if you can split up bandwidth 80/20 (or whatever you feel is appropiate). If not you probably have a network guy in house that can probably tweak your edge routers to do what you need them to do as well
4. Implement Untangle with the av blocker, phish blocker, basic web filter, and reports (to see who is still breaking the rules)(There are other distros out there that will do the same thing, but for me in this situation untangle is simple to setup and quick to get running)
5. Watch for shorter lines for freshman and returning students who don't have to re-register macs

Just my 2 cents and hopefully it's of some value to you

 

[Keiichi]

Last time I had to deal with this kind of stuf was over 10 years ago, but anyway... You should look into automatiing the registration for the game consoles. In theory all the game consoles should start out with the same MAC address (per mac addressing standards). Same with Apple Macs. As for the *NIX users well they'll have to register the same. The only real trouble you'll be running into are hackintoshes.

 

[holymoo]

Yeah, I will be attending a college this fall that has this. Nice to know the system is problem free...

 

[Ockie]

What is your main objective, to control each student, to filter sites, to inventory all systems, to ensure av is up to date, or?

 

[roaf85]

I do not understand the purpose of MAC address registering. Except for connecting to the wireless network I would always just register one computer, but then set up a router in place that would allow 20 more connections to connect through my network drop.

 

[Keiichi]

I do not understand the purpose of MAC address registering. Except for connecting to the wireless network I would always just register one computer, but then set up a router in place that would allow 20 more connections to connect through my network drop.

It's to keep people like you in check.

 

[calvinj]

It's to keep people like you in check.

Even then it truely doesn't. Other wise we wouldn't be bringing it up at all in this conversation. Student registers there mac. Clones it to their wireless router and bam one more little network off from your existing network

I think if your going to run dorms you want to make that process as painless as possible. Waiting in line to register the mac of your computer is kind of painful for someone who has know idea what a mac address is in the first place, let alone easy ways of finding it. Segment your network and use some sort of appliance at the door of the student networks

 

[Berg0]

MAC filtering isn't a good way to do your wireless auth, easy to spoof a MAC address and BAM you're in?

 

[holymoo]

Generally speaking though, the college IT have the ability to go and physically check whether the person is abiding by the rules. Also keep in mind, the college easily throttle the bandwidth at a per user level making it slow to a crawl when 2+ people are connected.

 

[calvinj]

Generally speaking though, the college IT have the ability to go and physically check whether the person is abiding by the rules. Also keep in mind, the college easily throttle the bandwidth at a per user level making it slow to a crawl when 2+ people are connected.

10 mb half duplex.. ahh the good ole days

 

[holymoo]

10 mb half duplex.. ahh the good ole days

I remember when that was pretty quick.

 

[Ockie]

Generally speaking though, the college IT have the ability to go and physically check whether the person is abiding by the rules. Also keep in mind, the college easily throttle the bandwidth at a per user level making it slow to a crawl when 2+ people are connected.

You can do this without needing that registration software.

 

[KarFai]

Generally speaking though, the college IT have the ability to go and physically check whether the person is abiding by the rules. Also keep in mind, the college easily throttle the bandwidth at a per user level making it slow to a crawl when 2+ people are connected.

If you work at a small college maybe, but at the university level it isn't exactly feasible.

The reasoning behind the MAC address registering was explained to me that it forces them to agree to our Acceptable Use Policy. I almost think that might be a strawman argument.

 

[VeeDubbs]

What is your main objective, to control each student, to filter sites, to inventory all systems, to ensure av is up to date, or?

The main objective is two fold. 1) track students -- so we have usernames connected to MAC addresses. 2) Ensure AV is up-to-date -- but again, this only applies to Windows machines. I guess it's original intent was to help with virus outbreaks -- this was before my time. I'm just wondering what other places are doing and seeing if I can get any info for a new process, etc...

Everybody speaking about MAC filtering for wireless, that is NOT our purpose. Our wireless is completely open. As is the web -- we do not do any type of filtering.

 

[Grentz]

Our college uses Cisco Clean Access in combination with Novell for all the printer/student folders/student logins and it seems to work decently. Again only for the windows machines. Macs/other machines get thrown a login page that they have to login with their student ID but that is it.

Kinda annoying that the windows machines get scrutinized but the Mac dont...and it does cause some issues as the Macs get files with viruses or other things and then tend to spread them to other machines when kids share stuff and such.

 

[Keiichi]

To help mitigate the long process of registering devices you could put up stupid easy guides on how to get the needed information for the more common devices, PS3s, 360s PC/MACs. I know it sounds low tech but, this should help things a bit for your situation.

 

[Concentric]

I'm a student not IT staff, but if I had to design a system like this it would be roughly:

No MAC filtering or registering or any of that BS - MACs are easy to change/clone and you'll get at least a couple of people complicating the situation with multiple machines, consoles etc as mentioned already. No "you must run this AV" either, or running spyware on their machines to make sure they play ball.

Just take a "this is your RJ45 port and it's your responsibility" approach - at the start of the year they sign the agreement that whatever goes on the end of that port is their responsibility, so if they're up for setting up their own router in their room, fine, but if someone else breaks in because they introduced a weak WAP then that's their fault.
Each port is it's own VLAN, assigned a fixed IP by central DHCP, has a set bandwidth limit and can only see the outside world (no other rooms, file servers etc - if they want these they login as if they were truly remote, e.g. webmail, VPN).

 

[Sage2k]

We use Netreg, but allow students to log into a page and manually netreg a console also.
We also limit their ports to 2 mac addresses, so if it sees more (ie a router with multiple machines) we get a notification and shut their port and make them remove the offending hardware.

 

[cymon]

If they use an actual router only the MAC Address of the router will show up on the port.

 

[VeeDubbs]

To help mitigate the long process of registering devices you could put up stupid easy guides on how to get the needed information for the more common devices, PS3s, 360s PC/MACs. I know it sounds low tech but, this should help things a bit for your situation.

We already do this. I should have said this, the system itself does what it was setup to do. Most problems occur when the users (the students!) don't read instructions -- all the way or at all! The NetReg page itself has very detailed instructions. We have a CD with the antivirus, service packs, etc. on it that actually opens to a web page of instructions. So, students come to the library because they either don't read, assume we'll do it for them or (especially for incoming freshmen!) their parents come and attempt to do it for them!

I like the idea of completely getting rid of any type of system like this. Currently, each residence hall is on it's own VLAN. Would putting each port on it's own VLAN help in any way?

 

[osrk]

HI All -

This topic may have been visited once before, but I think I'm going to ask it again.

If at a college campus, what are you guys doing in your residence halls? For example, we have every student register their machine through NetReg. The NetReg agent checks their machines for Symantec Antivirus, virus definitions from within the past 30 days and other various things. The thing is, this is only for Windows machines. Computers with OS X or Linux just register, no running the agent. And all the gaming consoles are just registered by staff when the student fills out the appropriate paper work. All we really need is a MAC address -- and for all we know the student could have put the MAC of their computer -- we don't really check into it all that much.

What I'm getting at is, NetReg causes us (read me) a lot of grief. Especially the beginning of every year when Freshmen come in as do all the returning students. Long lines at the library with people needing help to get registered and yadda yadda yadda.

So, again, what is everyone else doing? Same thing basically? Nothing? Something much simpler?

I'd love to hear it!

Game consoles used have to be manually registered but now it's online and instantaneous. We have netreg too but it's ridiculously easy to bypass. Assign yourself a static IP and you're free of netreg and bandwidth limits .

 

[osrk]

Just take a "this is your RJ45 port and it's your responsibility" approach - at the start of the year they sign the agreement that whatever goes on the end of that port is their responsibility...

All fine and dandy until some idiot gets infected with a trojan and starts spamming or becomes a botnet and the university's ips are blacklisted creating more a headache for the IT staff.

Even in college a lot of kiddies are still computer clueless and still think kazaa is the best way to get music.

 

[VeeDubbs]

All fine and dandy until some idiot gets infected with a trojan and starts spamming or becomes a botnet and the university's ips are blacklisted creating more a headache for the IT staff.

Even in college a lot of kiddies are still computer clueless and still think kazaa is the best way to get music.

Exactly. There are a few very computer savvy students that we could care less about. We are very aware that NetReg is very easy to get around. And trust me, if a student is clever enough to know to set a certain static IP to get around NetReg, they're probably smart enough to keep their AV up-to-date.

It's the other kids as osrk mentioned. People who click on any random link or open any random attachment. Those are the people we are concerned with.

 

[knothead34]

i would be concerned with torrents also...........not just music sharing sites like kazaa. some colleges setup there own campus wide torrents.

 

[cymon]

We already do this. I should have said this, the system itself does what it was setup to do. Most problems occur when the users (the students!) don't read instructions -- all the way or at all! The NetReg page itself has very detailed instructions. We have a CD with the antivirus, service packs, etc. on it that actually opens to a web page of instructions. So, students come to the library because they either don't read, assume we'll do it for them or (especially for incoming freshmen!) their parents come and attempt to do it for them!

I like the idea of completely getting rid of any type of system like this. Currently, each residence hall is on it's own VLAN. Would putting each port on it's own VLAN help in any way?

Putting each port on its own VLAN would be a good solution, as hosts on the dorm network wouldn't be able to communicate with each other. Anything that uses the local LAN as an infection vector would be blocked, because the only thing that would be on that particular VLAN would be the host itself, and the gateway. As long as the latest variant of Vundo or Conflicker or what have you doesn't infect IOS you should be fine

Also, each port on its own VLAN should inhibit fun things like DC++ from using up traffic on the dorm network. I've heard this setup recommended in a prior thread for setting up PCs in a campus network (it was technically a motel, however, similar principles.)

 

[novadude]

Putting each port on its own VLAN would be a good solution, as hosts on the dorm network wouldn't be able to communicate with each other. Anything that uses the local LAN as an infection vector would be blocked, because the only thing that would be on that particular VLAN would be the host itself, and the gateway.

That would be the reason I used slackware when I was on campus. A few nasty bugs that the shitty AV they required couldn't squish were running rampant for a semester before the IT dept. finally cleaned up their servers over the holidays. People could only use the 'guest' wireless in the libraries or the library computers (student ID# only, no regnet bullshit), which were all handled by a separate IT department which only handled the libraries (several libraries spanning multiple locations on and off campus ftw I guess)

 

[Concentric]

All fine and dandy until some idiot gets infected with a trojan and starts spamming or becomes a botnet and the university's ips are blacklisted creating more a headache for the IT staff.

Even in college a lot of kiddies are still computer clueless and still think kazaa is the best way to get music.

I'm pretty sure it would take a bit more than a couple of students' machines getting infected (which there would be, statistically) to get an academic network blacklisted. Plus plenty of students torrent and what-not from halls (from my experience anyway) and not much comes of it. Depends where you are I suppose.

Yes, botnets are unwanted and produce lots of nasty traffic, but if you're monitoring it (not rigorously, but looking out for things like email servers in dorm rooms ) then you should be able to shut off that port pretty quickly and have a chat to the user.

 

[calvinj]

I'm pretty sure it would take a bit more than a couple of students' machines getting infected (which there would be, statistically) to get an academic network blacklisted. Plus plenty of students torrent and what-not from halls (from my experience anyway) and not much comes of it. Depends where you are I suppose.

I would have to agree. It would seem to me that most larger colleges are practically their own ISP is some ways. The chances of them getting black listed, like the regular home users are I would think, pretty slim.

I know when I was going to college we were a hub point for ICN. Because of that we also got some perks out of using their internet and since it was in the basement just a couple of fiber runs upstairs and we had 15-18 mb of internet

 

[OmegaAvenger]

All fine and dandy until some idiot gets infected with a trojan and starts spamming or becomes a botnet and the university's ips are blacklisted creating more a headache for the IT staff.

Even in college a lot of kiddies are still computer clueless and still think kazaa is the best way to get music.

I have a friend who still uses ares

 

[ndruw]

At Purdue we just had a little web form that you would log into so the university would know which MAC address to bind to your account (usually a router for most people). Wasn't intrusive at all.

Edit:

Just take a "this is your RJ45 port and it's your responsibility" approach - at the start of the year they sign the agreement that whatever goes on the end of that port is their responsibility, so if they're up for setting up their own router in their room, fine, but if someone else breaks in because they introduced a weak WAP then that's their fault.
Each port is it's own VLAN, assigned a fixed IP by central DHCP, has a set bandwidth limit and can only see the outside world (no other rooms, file servers etc - if they want these they login as if they were truly remote, e.g. webmail, VPN).

This is pretty much exactly how it works

 

[Lightworker]

Just take a "this is your RJ45 port and it's your responsibility" approach - at the start of the year they sign the agreement that whatever goes on the end of that port is their responsibility, so if they're up for setting up their own router in their room, fine, but if someone else breaks in because they introduced a weak WAP then that's their fault.
Each port is it's own VLAN, assigned a fixed IP by central DHCP, has a set bandwidth limit and can only see the outside world (no other rooms, file servers etc - if they want these they login as if they were truly remote, e.g. webmail, VPN).

That's more or less how we run our residential network where I work, but with a few differences...

Randomized DHCP leases based off the VLAN for everybody, all student-to-student traffic is 100% denied--unicast and broadcast. In areas with newer gear like Cisco 3560/3750's, we use private-vlans and assign one VLAN tag and subnet to one specific wing of the building. Buildings with older gear like Cisco 3500/3550's have one VLAN per switch, and use the "port protected" feature to keep them out of each other's business. ACL's at the dist/core layers take care of inter-vlan routing and everybody's happy...except for the small handful of people that actually thought we were going to let them run gaming servers just because we have a fat pipe--tough shit.

There's no point in messing around with DHCP reservations to tie a specific address to a specific port, it's just not scalable. Same problem with the one VLAN per-port theory (I hear this often.) There's a hard limit of 4094 vlans you can define for any given area before popping tags and good luck keeping track of what goes where. When you have a few thousand endpoints, it will all spiral out of control and NOBODY wants to write that config.

Regarding bandwidth limits, we don't run any hard limits, but we do give queuing priority to latency sensitive traffic and put per-user rate limits on bursty flows to keep them in line. (patch tuesday was a nightmare before these rate limits went in)

 

[WesM63]

I'm not too familiar with any colleges, but Cisco NAC would be a perfect option for this. (Clean access is actually part of NAC).

NAC would pull the pc into a segmented vlan, run checks via clean access (av, updates etc) and then allow you access to the rest of the network providing the pc has passed the checks. If not, it would allow them access only to the internet to update. Once updated, NAC would then allow them access to the rest of the network.

 

[archivalbackup]

I'm pretty sure it would take a bit more than a couple of students' machines getting infected (which there would be, statistically) to get an academic network blacklisted. Plus plenty of students torrent and what-not from halls (from my experience anyway) and not much comes of it. Depends where you are I suppose.

Yes, botnets are unwanted and produce lots of nasty traffic, but if you're monitoring it (not rigorously, but looking out for things like email servers in dorm rooms ) then you should be able to shut off that port pretty quickly and have a chat to the user.

From experience at my university, I can tell you that one compromised user can get you blacklisted very quickly from the major ISPs. We had a user that responded to a 'we need your username and password' phishing email and some Russian hacker started sending out something like 10k messages per second.

We now are using our Barracuda firewall which was no longer capable of handling our inbound email, and set it up in reverse to check all of our outgoing mail for spam, viruses, rate limiting etc.

Through the process of cleaning up the whole mess and getting un-blacklisted at the major services such as Gmail, yahoo, MSN, AOL I can tell you that a single user is very capable of getting you on a blacklist. We are now having to crack down on users sending out mailing lists to their soccer teams because if just a few recipients mark the message as spam, it puts us in the warning zone for that service and could very easily push us back on the blacklist if a few users did this in a short period of time.

Amazingly the 'report as spam' feature makes a significant impact to an organization.

Now to properly handle this, you are supposed to setup a separate mail server & global IP for all of your list-serve type email that you can register with the providers so you don't blacklist your legitimate user email.

 

[CableDude]

Where I work they use bradford campus manager. Students need to have all their windows updates and AV up to date or bradford will not register their computer.

 

[VeeDubbs]

I'm not too familiar with any colleges, but Cisco NAC would be a perfect option for this. (Clean access is actually part of NAC).

NAC would pull the pc into a segmented vlan, run checks via clean access (av, updates etc) and then allow you access to the rest of the network providing the pc has passed the checks. If not, it would allow them access only to the internet to update. Once updated, NAC would then allow them access to the rest of the network.

We've actually looked into this a couple years ago and back then it was waaay out of our price range. Haven't looked into it since, not sure if the price has come down. I think they were charging per client.

 

[AMDXP]

Glad my campus doesn't seem this complicated. We're allowed routers too, as long as they're secure. Pretty much essential as well. You just have to register one MAC and you're on your way; however with out a router.... you can see everyone's PC.

It's rather annoying. I'm not sure why, either. So the router eliminates that, by creating its off-branch network.

Plus, I don't like how we're limited to 6000/384 (And throttled past a certain point). 6000/1000 would be nice. But, most people aren't as nerdy as me.

However when connected to the wireless network on campus in certain halls.. the speed test report uncapped speeds. Around 25/15 or so. Must be because it's an AP and allowing more bandwidth other than a jack in the wall?

And the non-computer savvy people are really annoying. I've learned just to play dumb around them, or else you'll be setting up and be the non-paid IT of your whole hall!