Hi Howard,
On Tue, 1 Feb 2005, Howard Lowndes wrote:
I have been asked to set up multiple LANs with Internet access in what I consider to be a hostile environment - a private uni student dorm complex.
1. BIOS password has very limited effect. 2. GRUB password to prevent editing the GRUB boot strings.
Both are a must-have...
3. Locked cases with no CD or floppy - how can I prevent USB drives being attached without disabling the USB bus in the BIOS. My thinking here is that I will use the USB bus to connect to the Internet modem and the Ethernet connection to connect to the LAN. Perhaps I might be better off to totally disable the USB bus in the BIOS and use a second Ethernet connection to connect to the Internet modem.
We have locked cases, but edit the boot order so that it won't boot off cd or floppy, thus our students are allowed to bring work from home and get them on. We also allow USB drives. However, if you don't want them, then why not just disable usb-storage in the kernel build? Only turn on the options you need in the USB support. In windows I think installing them requires power-user access, so should be avoidable even there.
4. SNORT on all interfaces. 5. Traffic volume monitoring and reporting with traffic shaping for over quota - what are the privacy considerations here? RRDTOOLS - anything else here?
We use a home-grown tool. I don't think monitoring volume is a problem, but content possibly. http://www.cse.unsw.edu.au/~ipq/doc/ for info, but I doubt the setup cost is worth it for a small installation.
We also have a tool to monitor for scanning activity (internal and external), and dynamically modify the firewall. There is a presentation on this at the AUUG Digital Pest Symposium (it's called "Bumpety").
6. Tight access control into the gateway boxes themselves - no user accounts. 7. Normal filtering of Internet nasties. 8. How do I look for (possibly infringing) P2P traffic?
Block known ports. Make a clear, well known policy. Stopping it altogether, as with looking for it, is difficult. You may also risk privacy things there. I'd say the biggest giveaway is sheer volume.
9. I will need to allow for HTTP, HTTPS, SMTP, POP3, but what ports should I allow for the various IMs, a/v streaming, IRC (6667), what else? I might also need to cater for IPSec tunnelling - I know what is needed there.
IMAP, SSH, etc etc.
10. As this is a private dorm complex, what about AUPs between the students and the landlord.
OK, that's just immediate random thoughts. Would anyone care to add to my worry list, esp anyone who has sysadmin experience in a hostile^H^H^H^Hstudent environment. :)
We're pretty generous here, being a research institution... Our IP quota system seems to stop a lot of badness, plus support people keep an eye out for strange traffic spikes. This would be harder if there isn't a full-time person involved somewhere.
Cheers,
- Simon -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
