Firewall with MAC address ACL that is dynamic

Well we HAVE to do something. Not ALL students have antivirus installed, or don't update it regularly. We don't have the staff to visit each machine to check for these things.

The problem is, that last spring our ISP was 2 days away from closing our connection due to virus activity and traffic coming from our network. Would it be better for us just to set up snort or something on that network to detect virus/trojan activity? Then we would just record the MAC address of the infected machine, and disable their port on the Cisco switch? Then what..... tell the student they aren't allowed back on until what? We would still have to go check their machine wouldn't we? I'm really new to the University IT field (I worked in healthcare before and didn't have to worry about students rights). We get the McAfee cheap (like $1.25 each) for students because of our site license for the campus network.

Bad move- many people don't run or like McRappy software, and my experience with OSU students is that it doesn't do anywhere near a good job protecting students systems.

You also don't want to force anyone to install AV software when they may already have another AV product installed.

Yep, that's how we got the accounts for the OSU sororities - viruses with SMTP engines.

Have you considered that you can stop outbound 135~139, 445, 1433,1434, and even SMTP except from the Univ smtp server? If you do this, it's about 90% of what goes outbound from kids machines.

That's how we do it - we monitor ALL IP:Port traffic, if it is abnormal we block their MAC/IP until they contact us :) They can get around the local network, but no PUBLIC access until the problem is corrected.

If you have them install the AV software or get their machine cleaned - doesn't matter how, then let them back out and see if it's still a problem, then the second offense means they don't get connected until they pay you to check/fix it.

In article , bjriffel@ho__tmail.com wrote: :We are a small college in Kansas and need a way to force our users in :the dormitories to install our McAfee VirusScan software.

Does your usage agreement prohibit non-Windows machines, or non-PCs ? Did you manage to find McAfee VirusScan for Solaris, SGI IRIX, Mac OS9, Mac OSX, Playstation, Blackberry, Palm Tungsten ?

:We have created a silent install of VirusScan that runs a batch file :after completion. This batch file records the computer's MAC address :to a text file on a remote server.

So if I change my NIC, or accidently connect into the second ethernet port on my computer, or I install a firewall or router or wireless, then I have to re-register? And in the case of a firewall or router, the registration will fail because the MAC seen on the other side of the device is not the same as the MAC of the computer?

:What we'd like is when the user first plugs in to our network and tries :to access a web site, they will get a default page (similar to what :most hotels have). This page will welcome them to our network and :provide a link to install the University supplied antivirus software. :After they approve the installation popups from their browser, they :would then have antivirus silently installed in the background.

Unless, that is, they just copied a MAC address from another system, seeing as nearly all systems these days have the capability... Their

Why?

Most operating systems don't need such a software program. And if people are good with Windows, then they don't need one either.

Yours, VB.

If users already have compromized systems, then installing an Anti-Virus program will not solve this problem any more:

Yes. You could use a sniffer to detect that and to block the IP of the user and inform her/him.

Yours, VB.

Just on a side note, whatever you do, make sure you anticipate it with some sort of communication campaign. Explain the problem, what is the plan to correct it and what are the consequences of not complying. Give time for them to digest it all and implement it in phases.

Your are dealing with people not computers. Education is really what students need (backed by firm policies). By creating a healthful relationship with your user base I'm sure you'll be closer to success and contributing to their development to becoming responsible adults.

In article , bjriffel@ho__tmail.com wrote: :The problem is, that last spring our ISP was 2 days away from closing :our connection due to virus activity and traffic coming from our :network.

:>We have a limited budget (almost $0)

Next time, allow the ISP to close the network connection, and save up the ISP connection fees until you can afford to put in a rateshapper or firewall with AV (but first send a CYA letter to whoever has budget control, telling them this is what may happen.)

Unless it is your department's fault that you do not have sufficient funding to do everything you are mandated to do, then pass the buck. Make it clear to those above that they have made an administrative decision in their budget allocations, and that those decisions can have consequences, including loss of connectivity for several weeks or months.

Sonicwalls will enforce AV compliance (as well updated-ness) through they're rebadged version of McAfee Virusscan ASAP.

The key for us, is not needing any physical access to the student's computers. I think for us right now, are best bet is what was already stated. Put up a snort box and just disable the port for the computers we see virus activity from.