Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Firewall For specific areas

Posted on 2006-04-04
15
Medium Priority
?
241 Views
Last Modified: 2013-11-16
Hi

I work at a School.
We have had a number of problems with rogue student laptops, as when they connect to our networks they cause problems like viruses and broadcasting packets.
We now have a policy where you have to log onto the domain to get internet and network resources. This allows us to manage students laptops.

In the houses where students stay we need to have something in place, to stop any students laptops causing network broadcasts traffic and viruses spreading.

We have Connectix web smart managed swtiches in each house.

Can you please offer a solution. Thanks in advance.
0
Comment
Question by:downehouse
  • 4
  • 4
  • 2
  • +3
13 Comments
 
LVL 13

Accepted Solution

by:
hstiles earned 472 total points
ID: 16370505
Port security - simple and effective.  If you have managed switches it is relatively straigtforward to bind each port to a specific MAC address.  You also need to ensure that any unused ports are unpatched.  There is an admin overhead in this as new machines need to be added to the port list, etc... but if you are supplying the machines, etc... you should be able to keep on top of it.

If you need to provide internet access but do not want to risk harm to your main network then implement a simple internet only subnet using either a spare interface on your firewall or a SOHO firewall router using a spare external address.

0
 

Author Comment

by:downehouse
ID: 16371328
thanks for the info.

Im pretty sure these connectix switches don't allow ports mapping to mac addresses.
They do allow vlans though.

With regards to the laptop setups these students shall be now logging onto a domain and will be using the internet and accessing there network drives.

Before we just used to give the students a proxy address for the internet, but as these laptops had viruses and other stuff on them and they used to send out broadcast packets and kill the bandwidth, thus slowing down the internet access for everyone.

all laptops have to come to us first to get cleaned from any viruses and spyware then they are joined to the domain.

Our biggest concern is if students don't bring there laptops to us first and just plug them into the network ports in the houses. Students get interent access via there windows credentials.

We need something in place to stop unwanted broadcasts and viruses too if possible.

Thanks again in advance.
0
 
LVL 13

Expert Comment

by:hstiles
ID: 16371366
I've never heard of Connectix switches.  Do you have a model number or web link so I could look into port security?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:downehouse
ID: 16371525
Yeah sure

Networkx web smart edge engine 24 port 10/100 + gigabit

Here is the link for this model :

http://www.connectix.co.uk/dev/datasheets/010-100-200-44v0.htm

thanks again.
0
 
LVL 13

Expert Comment

by:hstiles
ID: 16371685
Hmm.  Port security really is the best way to nip this in the bud.  The ideal solution, from a security perspective, would be one that monitors your network and, if a threat is detected, shuts down the rlevant port.

At the simplest level, just restricting network access to machines that you're aware of is a great start
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16372527
shut down all pots by default
then after the student brings you their laptop to be cleaned, enable the port for them :)
0
 

Author Comment

by:downehouse
ID: 16379511
Thanks for the advice.

We have only one problem where the students change rooms every term, this will cause hassle for us.

Do you know of any appliance device like a firewall we could place between our main network and the houses?

0
 
LVL 13

Expert Comment

by:hstiles
ID: 16379735
How many houses?  I mean implementing a unique VLAN for each house would reduce the size of each of the collision domains drastically and, as an added bonus, protect other houses from hacking attempts that smartarse students might attempt, like man in the middle attacks/Arp cache poison attacks.

Also, maybe stick your infrastructure/servers behind a router, so that malicious broadcast traffic or hacking attempts like the ones mentioned above won't pass

That would solve the problem of your switches not allowing you to secure each port, give you any easy method of pinpointing rogue machines as they'll be on a VLAN that's tied to the ports in a specific house.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 16381780

How big is the environment, what is the risk, and how much have you got to spend to mitigate it? With this estimated then we can help you with the type of solutions you should look at.
0
 
LVL 4

Assisted Solution

by:uberpoop
uberpoop earned 464 total points
ID: 16385047
I realize you are not running Cisco switches etc...
But you should really look at Cisco Clean Access appliances...
They do EXACTLY what you want and are designed for campuses...
I know most large US universities are running CCA just for this same purpose.

http://www.cisco.com/en/US/products/ps6128/index.html

0
 

Author Comment

by:downehouse
ID: 16398864
Hi

We have 3 houses where roughly 125 students stay at each house with laptops.

Im currently reading into cisco clean Access.

Thanks in advance.
0
 
LVL 4

Expert Comment

by:uberpoop
ID: 16403537
I should add that Cisco is not the only company making these types of products... jsut the only one I know the name of. if i find more I will post.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 464 total points
ID: 16411746
Look at network IPS, such as www.toplayer.com, www.tippingpoint.com, www.mcafee.com (Intrushield).  These will clean any viruses straight off the wire, so as long as you place these devices in strategic locations (eg use one in front of each house, and one in front of your critical servers, or just share the ports on a multiple-port IPS), then you will get the protection you need very quickly, without having to mess around with Cisco or network configs.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question