Firewall For specific areas


I work at a School.
We have had a number of problems with rogue student laptops, as when they connect to our networks they cause problems like viruses and broadcasting packets.
We now have a policy where you have to log onto the domain to get internet and network resources. This allows us to manage students laptops.

In the houses where students stay we need to have something in place, to stop any students laptops causing network broadcasts traffic and viruses spreading.

We have Connectix web smart managed swtiches in each house.

Can you please offer a solution. Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Port security - simple and effective.  If you have managed switches it is relatively straigtforward to bind each port to a specific MAC address.  You also need to ensure that any unused ports are unpatched.  There is an admin overhead in this as new machines need to be added to the port list, etc... but if you are supplying the machines, etc... you should be able to keep on top of it.

If you need to provide internet access but do not want to risk harm to your main network then implement a simple internet only subnet using either a spare interface on your firewall or a SOHO firewall router using a spare external address.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
downehouseAuthor Commented:
thanks for the info.

Im pretty sure these connectix switches don't allow ports mapping to mac addresses.
They do allow vlans though.

With regards to the laptop setups these students shall be now logging onto a domain and will be using the internet and accessing there network drives.

Before we just used to give the students a proxy address for the internet, but as these laptops had viruses and other stuff on them and they used to send out broadcast packets and kill the bandwidth, thus slowing down the internet access for everyone.

all laptops have to come to us first to get cleaned from any viruses and spyware then they are joined to the domain.

Our biggest concern is if students don't bring there laptops to us first and just plug them into the network ports in the houses. Students get interent access via there windows credentials.

We need something in place to stop unwanted broadcasts and viruses too if possible.

Thanks again in advance.
I've never heard of Connectix switches.  Do you have a model number or web link so I could look into port security?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

downehouseAuthor Commented:
Yeah sure

Networkx web smart edge engine 24 port 10/100 + gigabit

Here is the link for this model :

thanks again.
Hmm.  Port security really is the best way to nip this in the bud.  The ideal solution, from a security perspective, would be one that monitors your network and, if a threat is detected, shuts down the rlevant port.

At the simplest level, just restricting network access to machines that you're aware of is a great start
shut down all pots by default
then after the student brings you their laptop to be cleaned, enable the port for them :)
downehouseAuthor Commented:
Thanks for the advice.

We have only one problem where the students change rooms every term, this will cause hassle for us.

Do you know of any appliance device like a firewall we could place between our main network and the houses?

How many houses?  I mean implementing a unique VLAN for each house would reduce the size of each of the collision domains drastically and, as an added bonus, protect other houses from hacking attempts that smartarse students might attempt, like man in the middle attacks/Arp cache poison attacks.

Also, maybe stick your infrastructure/servers behind a router, so that malicious broadcast traffic or hacking attempts like the ones mentioned above won't pass

That would solve the problem of your switches not allowing you to secure each port, give you any easy method of pinpointing rogue machines as they'll be on a VLAN that's tied to the ports in a specific house.

How big is the environment, what is the risk, and how much have you got to spend to mitigate it? With this estimated then we can help you with the type of solutions you should look at.
I realize you are not running Cisco switches etc...
But you should really look at Cisco Clean Access appliances...
They do EXACTLY what you want and are designed for campuses...
I know most large US universities are running CCA just for this same purpose.

downehouseAuthor Commented:

We have 3 houses where roughly 125 students stay at each house with laptops.

Im currently reading into cisco clean Access.

Thanks in advance.
I should add that Cisco is not the only company making these types of products... jsut the only one I know the name of. if i find more I will post.
Tim HolmanCommented:
Look at network IPS, such as,, (Intrushield).  These will clean any viruses straight off the wire, so as long as you place these devices in strategic locations (eg use one in front of each house, and one in front of your critical servers, or just share the ports on a multiple-port IPS), then you will get the protection you need very quickly, without having to mess around with Cisco or network configs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.