Educause Security Discussion mailing list archives
Re: Monitoring traffic/protecting student accessible machines
From: Clyde Hoadley <hoadleyc () MSCD EDU>
Date: Fri, 10 Oct 2003 15:08:34 -0600
At the risk of stating the obvious, is it safe to assume you have an approved and published Security Policy that authorizes you to run a packet sniffer and capture packets? And, are your students, faculty and staff aware of the policy and have ready access to it? Without such an approved and published Security Policy, you might get yourself into more trouble than the student! Running an IDS is one thing; sniffing packets is very different! At MSCD we have deployed a standard image of XP into the Labs. The PC is locked down with Windows Policies and Active Directory. We also have LANDesk installed to push updates. Some of the software is served off of a server and is metered. -- Clyde Hoadley Security & Disaster Recovery Coordinator Division of Information Technology Metropolitan State College of Denver hoadleyc () mscd edu http://clem.mscd.edu/~hoadleyc/ (303) 556-5074 Ron Parker wrote:
1) We use Etherpeek from Wildpackets for our sniffer. I have a chokepoint set up where I can capture all traffic between our network and our internet links. If the traffic is purely internal, we use spanned monitor ports on our Cisco switches. We also run Websense in conjunction with our firewall. It provides filtering and reporting of activity for some protocols but not all. You may also be able to use RMON to remotely capture packets of interest from network switches that support RMON. In my experience with a number of these kinds of cases, your best tool is a detailed packet capture combined with someone verifying the identify of the person at the computer being monitored. It is very time consuming to pursue these cases. That's one reason I've started filtering the hardcore porn via Websense. 2) We use Deep Freeze in our labs. It isn't a perfect solution but it's the best we've found so far. We are still looking for something better. For example, during the recent Blaster worm outbreak, we couldn't just send out the patch to our lab XP machines via SUS and group policy. Every change to the machine requires disabling Deep Freeze, rebooting, making the change and re-enabling Deep Freeze. That is a real time waster with the hundreds of lab machines we have. I would like to have a way to use Ghost to blast out new images to the labs under such conditions but we're still working on that. -- Ron Parker, Director of Information Technology, Brazosport College Voice: (979) 230-3480 FAX: (979) 230-3111 http://www.brazosport.edu On Fri, 10 Oct 2003, Charles Bombard wrote:I have two questions: 1) What do you use to monitor traffic? I am looking for actual packet sniffing. Example of what I am looking for, we have a complaint of a student viewing material they should not be on a lab machine. The IT staff are at another location but can remotely monitor the network.. I want to know what sites the person is going to. They are using their own machine but our network. I have MAC address and IP. What do you recommend? 2) What do you do to protect your lab machines from your students? Do you use deepfreeze or a similar product? How do you like the solution that you are using? -Charlie Bombard LAN Systems Administrator Community College of Vermont ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Monitoring traffic/protecting student accessible machines Charles Bombard (Oct 10)
- <Possible follow-ups>
- Re: Monitoring traffic/protecting student accessible machines Ron Parker (Oct 10)
- Re: Monitoring traffic/protecting student accessible machines Clyde Hoadley (Oct 10)