Re: Monitoring traffic/protecting student accessible machines

[Clyde Hoadley <hoadleyc () MSCD EDU>]

At the risk of stating the obvious, is it safe to assume you
have an approved and published Security Policy that authorizes
you to run a packet sniffer and capture packets?  And, are your
students, faculty and staff aware of the policy and have ready
access to it?  Without such an approved and published Security
Policy, you might get yourself into more trouble than the
student!  Running an IDS is one thing; sniffing packets is
very different!

At MSCD we have deployed a standard image of XP into the Labs.
The PC is locked down with Windows Policies and Active Directory.
We also have LANDesk installed to push updates.  Some of the
software is served off of a server and is metered.

--
Clyde Hoadley
Security & Disaster Recovery Coordinator
Division of Information Technology
Metropolitan State College of Denver
hoadleyc () mscd edu
http://clem.mscd.edu/~hoadleyc/
(303) 556-5074

Ron Parker wrote:
> 1) We use Etherpeek from Wildpackets for our sniffer. I have a chokepoint
> set up where I can capture all traffic between our network and our
> internet links. If the traffic is purely internal, we use spanned
> monitor ports on our Cisco switches.
>
> We also run Websense in conjunction with our firewall. It provides
> filtering and reporting of activity for some protocols but not all. You
> may also be able to use RMON to remotely capture packets of interest from
> network switches that support RMON.
>
> In my experience with a number of these kinds of cases, your best tool is
> a detailed packet capture combined with someone verifying the identify of
> the person at the computer being monitored. It is very time consuming to
> pursue these cases. That's one reason I've started filtering the hardcore
> porn via Websense.
>
> 2) We use Deep Freeze in our labs. It isn't a perfect solution but it's
> the best we've found so far. We are still looking for something better.
> For example, during the recent Blaster worm outbreak, we couldn't just
> send out the patch to our lab XP machines via SUS and group policy. Every
> change to the machine requires disabling Deep Freeze, rebooting, making
> the change and re-enabling Deep Freeze. That is a real time waster with
> the hundreds of lab machines we have. I would like to have a way to use
> Ghost to blast out new images to the labs under such conditions but we're
> still working on that.
>
> --
> Ron Parker, Director of Information Technology, Brazosport College
> Voice: (979) 230-3480             FAX: (979) 230-3111
> http://www.brazosport.edu
>
>
> On Fri, 10 Oct 2003, Charles Bombard wrote:
>
>
> > I have two questions:
> > 1)
> > What do you use to monitor traffic? I am looking for actual packet
> > sniffing. Example of what I am looking for, we have a complaint of a
> > student viewing material they should not be on a lab machine. The IT staff
> > are at another location but can remotely monitor the network.. I want to
> > know what sites the person is going to. They are using their own machine
> > but our network. I have MAC address and IP. What do you recommend?
> >
> > 2)
> > What do you do to protect your lab machines from your students? Do you use
> > deepfreeze or a similar product? How do you like the solution that you are
> > using?
> >
> > -Charlie Bombard
> > LAN Systems Administrator
> > Community College of Vermont
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> > http://www.educause.edu/cg/.
>
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.