I have been asked to set up multiple LANs with Internet access in what I consider to be a hostile environment - a private uni student dorm complex.
Basically it will be Linux gateways with most probably Winblows or Mac boxes on the LANs. As far as possible I will be locating the gateway boxes in as physically secure an area as I can, but even so I will need to be looking at security as regards access to the gateways as well as network security. My thoughts so far are: 1. BIOS password has very limited effect. 2. GRUB password to prevent editing the GRUB boot strings. 3. Locked cases with no CD or floppy - how can I prevent USB drives being attached without disabling the USB bus in the BIOS. My thinking here is that I will use the USB bus to connect to the Internet modem and the Ethernet connection to connect to the LAN. Perhaps I might be better off to totally disable the USB bus in the BIOS and use a second Ethernet connection to connect to the Internet modem. 4. SNORT on all interfaces. 5. Traffic volume monitoring and reporting with traffic shaping for over quota - what are the privacy considerations here? RRDTOOLS - anything else here? 6. Tight access control into the gateway boxes themselves - no user accounts. 7. Normal filtering of Internet nasties. 8. How do I look for (possibly infringing) P2P traffic? 9. I will need to allow for HTTP, HTTPS, SMTP, POP3, but what ports should I allow for the various IMs, a/v streaming, IRC (6667), what else? I might also need to cater for IPSec tunnelling - I know what is needed there. 10. As this is a private dorm complex, what about AUPs between the students and the landlord. OK, that's just immediate random thoughts. Would anyone care to add to my worry list, esp anyone who has sysadmin experience in a hostile^H^H^H^Hstudent environment. :) -- Howard. LANNet Computing Associates; Your Linux people <http://www.lannetlinux.com> ------------------------------------------ "When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft." ------------------------------------------ "Flatter government, not fatter government; Get rid of the Australian states." -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
