Firewall For specific areas

Hi

I work at a School.
We have had a number of problems with rogue student laptops, as when they connect to our networks they cause problems like viruses and broadcasting packets.
We now have a policy where you have to log onto the domain to get internet and network resources. This allows us to manage students laptops.

In the houses where students stay we need to have something in place, to stop any students laptops causing network broadcasts traffic and viruses spreading.

We have Connectix web smart managed swtiches in each house.

Can you please offer a solution. Thanks in advance.
downehouseAsked:
Who is Participating?
 
hstilesCommented:
Port security - simple and effective.  If you have managed switches it is relatively straigtforward to bind each port to a specific MAC address.  You also need to ensure that any unused ports are unpatched.  There is an admin overhead in this as new machines need to be added to the port list, etc... but if you are supplying the machines, etc... you should be able to keep on top of it.

If you need to provide internet access but do not want to risk harm to your main network then implement a simple internet only subnet using either a spare interface on your firewall or a SOHO firewall router using a spare external address.

0
 
downehouseAuthor Commented:
thanks for the info.

Im pretty sure these connectix switches don't allow ports mapping to mac addresses.
They do allow vlans though.

With regards to the laptop setups these students shall be now logging onto a domain and will be using the internet and accessing there network drives.

Before we just used to give the students a proxy address for the internet, but as these laptops had viruses and other stuff on them and they used to send out broadcast packets and kill the bandwidth, thus slowing down the internet access for everyone.

all laptops have to come to us first to get cleaned from any viruses and spyware then they are joined to the domain.

Our biggest concern is if students don't bring there laptops to us first and just plug them into the network ports in the houses. Students get interent access via there windows credentials.

We need something in place to stop unwanted broadcasts and viruses too if possible.

Thanks again in advance.
0
 
hstilesCommented:
I've never heard of Connectix switches.  Do you have a model number or web link so I could look into port security?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
downehouseAuthor Commented:
Yeah sure

Networkx web smart edge engine 24 port 10/100 + gigabit

Here is the link for this model :

http://www.connectix.co.uk/dev/datasheets/010-100-200-44v0.htm

thanks again.
0
 
hstilesCommented:
Hmm.  Port security really is the best way to nip this in the bud.  The ideal solution, from a security perspective, would be one that monitors your network and, if a threat is detected, shuts down the rlevant port.

At the simplest level, just restricting network access to machines that you're aware of is a great start
0
 
jabiiiCommented:
shut down all pots by default
then after the student brings you their laptop to be cleaned, enable the port for them :)
0
 
downehouseAuthor Commented:
Thanks for the advice.

We have only one problem where the students change rooms every term, this will cause hassle for us.

Do you know of any appliance device like a firewall we could place between our main network and the houses?

0
 
hstilesCommented:
How many houses?  I mean implementing a unique VLAN for each house would reduce the size of each of the collision domains drastically and, as an added bonus, protect other houses from hacking attempts that smartarse students might attempt, like man in the middle attacks/Arp cache poison attacks.

Also, maybe stick your infrastructure/servers behind a router, so that malicious broadcast traffic or hacking attempts like the ones mentioned above won't pass

That would solve the problem of your switches not allowing you to secure each port, give you any easy method of pinpointing rogue machines as they'll be on a VLAN that's tied to the ports in a specific house.
0
 
ferg-oCommented:

How big is the environment, what is the risk, and how much have you got to spend to mitigate it? With this estimated then we can help you with the type of solutions you should look at.
0
 
uberpoopCommented:
I realize you are not running Cisco switches etc...
But you should really look at Cisco Clean Access appliances...
They do EXACTLY what you want and are designed for campuses...
I know most large US universities are running CCA just for this same purpose.

http://www.cisco.com/en/US/products/ps6128/index.html

0
 
downehouseAuthor Commented:
Hi

We have 3 houses where roughly 125 students stay at each house with laptops.

Im currently reading into cisco clean Access.

Thanks in advance.
0
 
uberpoopCommented:
I should add that Cisco is not the only company making these types of products... jsut the only one I know the name of. if i find more I will post.
0
 
Tim HolmanCommented:
Look at network IPS, such as www.toplayer.com, www.tippingpoint.com, www.mcafee.com (Intrushield).  These will clean any viruses straight off the wire, so as long as you place these devices in strategic locations (eg use one in front of each house, and one in front of your critical servers, or just share the ports on a multiple-port IPS), then you will get the protection you need very quickly, without having to mess around with Cisco or network configs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.