Re: seperation of student and staff networks ???

[Rick Smith at Secure Computing <rick_smith () securecomputing com>]

At 08:15 AM 8/29/2001, Shaun Moran wrote:

> Traditional we would typically deploy some form of access control device and
> deploy two seperate ethernet networks ... Lately though - I have been more 
> and more concerned about this approac because of the lack of physical 
> security at the schools ...

Of course, there's no perfect solution, given that you can't control the 
physical configuration, and physical access provides ample opportunities 
for misuse.

Have you thought about host-based personal firewalls -- you could set up 
two sets of IP addresses, one for students and one for teachers (two pools 
of addresses, if allocated dynamically) and program the teachers' machines 
and servers to ignore all packets from student machines.

If you're worried about subversion of a teacher's machine, you might want 
to look at the embedded, NIC-based firewalls being offered by 3Com and SCC. 
Even if student attackers subvert a teacher's machine, they can't penetrate 
the NIC and subvert the address filtering. The NIC protects its filtering 
functions from the host, and at worst an attack will be detected by the 
central admin console. It's supposed to be released as a product this fall, 
and it's based on one of 3Com's commodity NICs (around $100 each).

The downside is that this is a pretty new technology. It's being tested in 
infowar scenarios with the military, but I'm not sure if that's as hostile 
of an infowar environment as a public school system :->

Rick.
smith () securecomputing com          roseville, minnesota
"Authentication" coming in October http://www.visi.com/crypto/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards