Group supports a small college with about 200 students.
We have a Shorewall firewall/web filter/access mgmt solution in place between the ISP access and the internal network. This appliance also handles DNS and DHCP.
Problem is that malware-infected PCs are hogging the bandwidth of the student T1 Internet access. We are in essence getting internal DOS.
Our plan is to put a similar appliance on the internal interface, to detect and control rogue workstations and malware-afflicted workstations. Using SNORT we would like to detect the activity then shut down that workstation's access.
I know we can drop the client by IP address. But to restrict access on a more permanent basis, we need a way to remove that client from DHCP eligibility by MAC address.
So, SNORT needs to write to a table of MAC addresses that will be excluded from DHCP eligibility.
Or is there a better solution?