Reverse DNS Names and IP Addresses

[Terence Ma <Terence.Ma () TUN TOURO EDU>]

Sorry for the cross-post. It was suggested that I would get a better response here on the Security mailing list. 
Thanks! Tere

From: Terence Ma
Sent: Sunday, August 02, 2009 7:47 PM
To: The EDUCAUSE CIO Constituent Group Listserv
Subject: Reverse DNS Names and IP Addresses

Dear All:

In lieu of roller coaster rides (on which I do poorly), I think that an equally frightening and devastating experience 
is attending Defcon (my first this year).

One of the talks this weekend brought up a few very interesting questions to me. (It should be noted that the speakers 
were very complimentary about their institution's IT and IT's willingness and cooperation in working on this issue.)

Apparently, at 60+ institutions in the US, DNS names are assigned to machines on the network based on user credentials. 
Apparently, many of these institutions assign [firstname]-[lastname].[campus-network].[institution].edu to 
semi-permanent IP addresses, which are then assigned to the user. In the case of some of these institutions, the 
"campus-network" might be something like "dorm" or "wireless". Additionally, at many of these institutions, the user 
(employee or student) has to authenticate once and then their MAC address is associated with their account, DNS name, 
and IP address. So that in the future, when a machine attaches to the network with the known MAC address, it is 
assigned access to the appropriate account, DNS name, IP address, and network privileges. I believe I heard that at 
many of these institutions, the network username is [firstname].[lastname] and the email address is 
[firstname].[lastname]@[institution].edu.

As a somewhat newbie to being a CIO (two years and counting), I was wondering whether this practice is truly this 
common? It seems that there are potential FERPA issues, security issues, as well as other privacy issues. Additionally, 
how does one protect against a spoofed MAC address (obtained from sniffing by a non-University person)?

One of the people in the QA session indicated that their University spent a lot of money so that all users had 
semi-permanent public IP addresses - something recommended strongly from legal to IT. Is this also a common practice?

Thank you in advance for satisfying my curiosity.

Sincerely, Tere

--
Terence P. Ma, Ph.D.
Chief Information Officer
Touro University Nevada
874 American Pacific Dr.
Henderson, NV 89014, USA
Ph: 702-777-1805
Fx: 702-777-1736
Mb: 702-469-1770
Em: terence.ma () tun touro edu