[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

University department network configuration help.

Hi everyone. Once again I am requesting help here  to get a project done that was assigned to me.  I hope I can get some good feedback as in the past to start working on the assignment.   I will explain the current setup in the simplest possible way and the requirements at the end of the message:

Brief intro:

I work for a department in a college where the campus is an entire building (in NY).  

My department has offices in the 3rd and 9th floor.  

The main college IT department has control over the wires, routers, DNS, DHCP, SMTP on the entire building

Our  main department has offices on the 9th floor where we setup a sub domain using Microsoft Active Directory.  We  run MS Exchange 2003, Windows Server 2003 and have a whole bunch of web servers.

Our department has just under 300 workstations

We have 2 DNS servers to help in name resolution in our department.  These DNS servers forward requests to the main college DNS  as well, but  serve fine our purpose of internal name resolution within our sub domain.

We have setup 2 VPN server in 2 separate Windows Server 2003 machines to access our internal subnet from outside and use MS Exchange; we are also testing RPC over HTTP.

Our subnet and thus, our entire network is outside the DMZ zone.   The college IT department has allowed that our servers be on the open because we manage our own security.

The 3rd floor offices connect to our servers on the 9th floor by using VPN as well because the 3rd floor is within the College Firewall and inter-floor communication is blocked due to the nimbda virus and all other worms that came out last year.   Port 135 is definitely blocked and will not be opened by the college IT department by any means.


Problems:

1) The 3rd floor computers keep disconnecting all the time and access to files, databases, Exchange server, etc is interrupted throughout the day.  This causes major conflicts and loss of data very frequently.

2) Because we do not manage our own DHCP, we cannot control the use of laptops in the department.  People come to the laboratories with their home laptops and download all kind of junk (porn, mp3, videos, games, etc).

3) Since it is very easy to install a Wireless router, most lab people have purchased these and plug them into a RJ45 jack to begin IP distribution to all wireless users who pick up the signal


Requirements

1) We need to implement a more steady solution for the 3rd floor offices to connect to our network.  What do you suggest ?

2) We need to find a way to control the use of network users who come in and plug their laptops.

3) We need to implement an authentication scheme to control the use of Wireless clients who are not authorized by us.   I am thinking about using smart cards or 802.1x type of authentication.  We can go to all the labs and setup passwords and WEP on all devices, but it would be nice to have a centralized authentication setup in the domain using some type of GPO.  

4) We need to implement an authentication scheme to control the use of Laptop users who bring computers from home.   I am thinkng the same as in No. 3 above, but I just need some help in determining  if this is the best solution and how we could implement it.

You have to take into consideration the following before your post your suggestions:


The college IT department WILL NOT help us in any way. They will not allow control of DHCP to use, which will be useful to control IP addresses by MAC addresss.

The college IT department WILL NOT configure routers in any way  to accomodate any request from us.  We are on our own and these are the only tools we have.

I have not read much about these topics because I would like to get some ideas from anyone of you who is willing to help me with this  before I begin my search.    I can then read your reference guides or get more information on any lead you can provide.

Thank you for your help.

CL.
0
carotech
Asked:
carotech
1 Solution
 
iom100ukCommented:
Your college IT department sounds pretty rubbish. You don't say whether you are the designated IT person for your department, but I think that  you need to communicate better with them. If they're willing to let you maintain the security of your own servers, they should also negotiate further fixes. Remember that they are there to serve you, and technology shouldn't get in the way of doing your department's work/research. The arbitary blocking of ports across floors is pretty inexplicable. If you're one department then you should be treated as one network wherever possible.

I think I'd think about installing your own firewall and blocking DHCP, then setting up your own DHCP server restricted to known MAC addresses. This should help control unknown/uncontrolled laptops. I would suggest checking each laptop for windows patches, and up to date virus checker before you allow it to get a dhcp lease. We do it here (a college in the UK).

You need good policy documents in place which explain why people shouldn't be installing their own wireless kit (channel management, security, poor default settings etc) and then get the funding to install your own centrally managed wireless network. There are a number of products which will let you control access. I've just set up NoCat (www.nocat.net) at my workplace.

Sounds like a nightmare scenario - good luck!
0
 
carotechAuthor Commented:
Thank you, NoCat is a very good resource page.    I'll wait for more ideas before distributing points.

Yes, you are right when you say this is a nightmare becasue it truly is.

CL
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now