[ale] OT: laptops on a network, security

James P. Kinney III jkinney at localnetsolutions.com
Wed May 28 22:08:01 EDT 2003 

On Wed, 2003-05-28 at 21:48, J.M. Taylor wrote:
> Hypothetical situation: you are a fair-to-middlin' sized university, and
> people (students, faculty, staff, spouses, riff-raff) want to bring their
> laptops in and plug in to your network.  Your draconian laws prohibit this
> but it's becoming increasingly obvious that people are doing it anyway,
> and you can't hide from the issue forever.
> 
> What do you do?  Could something like RADIUS be used to authenticate
> mobile users and only grant those with valid accounts an IP address?  What
> about people who just assign themselves an IP? How does one stop that?
> 
> I know there are a ton of security issues involved here, and of course I'm
> looking for a solution that protects both our network and our mobile
> users. One of my biggest concerns is that these are machines completely
> out of our control, how do I mitigate the potential horrible evil of that?
> 
> I'm fishing here, would be especially interested to know what GA Tech,
> Emory,  Kennesaw, and others are doing because as a school we're going to
> have to follow different rules than a corporation, but I'm interested to
> hear from anybody with experience doing this kind of thing.
> 
> TIA
> jenn
> 
> 
What _I_ would do is to allow all dhcp requests and pass out 10.0.0.0
address to anything that asks for one. Then anything with a 10.* address
gets filtered to use ONLY port 80 and the high return ports. It would
require some active monitoring on the switches, but thats what you paid
the big bucks on those managed switches for, right :)

So if any MAC address tries to access any port that is unauthorized more
than once during a session, that MAC gets it IP revoked and then it is
blacklisted from getting another for, say, 24-48 hours campus wide.

I would save the RADIUS server for people who need access to the campus
LAN for real work. 

I would also set up kiosk boxes that also have 10.* address but they are
known by their MAC and are allowed limited access to internal LAN sites
and off campus web sites. The other address that are doled out get no
outside campus access. That avoids problems of a legal type.

Hmm. I also like the idea of having a switchable 48V power supply that
feed the pins 3&6 (receive pair) on the accessible Ethernet ports. If a
MAC consistently shows security attempts, flip the switch. 48V won't
smoke and be obvious, but it will trash the NIC. Might be a bit
expensive to implement campus wide, though.

Maybe the Register should look at this. I'm sure the BOFH could use the
idea. It much more subtle than the 110 AC line on the Ethernet wire.

> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 

 This is a digitally signed message part

More information about the Ale mailing list