North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: who offers cheap (personal) 1U colo?
- From: Andrew Dorsett
- Date: Sun Mar 14 21:58:34 2004
On Sun, 14 Mar 2004, Vivien M. wrote:
> credibly argue "But I never read this AUP". The web-based DHCP registration
> system prevents that.
Ok, I'll give that one to you. :) Got me there hehehe Though now we are
making the AUP a part of the freshman orientation session so there are no
excuses. Plus they agree to it when they place the installation cd in
their drive (if they use the installation cd which many don't)
> A) It prevents students (or at least, all but the most clueful) from taking
> multiple IPs and having hubs and such in their rooms
That's protected by port security. Just limit them to one mac address per
port. So only the last machine transmitting will get the reply. Works
quite well, shut me down for a few days a few years ago when it was first
> B) It makes it very easy to track what MAC address/IP address is which
> person, as you yourself admitted. Sure, this system requires a bit of effort
> to set up initially (though I think open source implementations are easily
> available), but afterwards, you don't need to have your most clueful network
> engineer dig through to try and figure out which room is what IP. If you
> lower the clue level required to operate an abuse desk, I would argue you
> improve its efficiency in many cases...
See this is not something that requires a clueful engineer. Only requires
the clueful engineer to create a script that does it all automatically.
In fact I've seen the web interface to the whole system. VERY nice. Even
tracks changes, so I can tell if the user pulled the cables, swapped
ports, did bad stuff and then swapped them back to place the blame on the
roommate. I can enter the IP in question and time period and it will then
tell me the mac address in question, then it will automatically look up
the cable database to return the room, and then it will return the names
of the individuals living in the rooms. I argue that the username system
has significant problems which can lead to denial of service. What
happens when your radius box goes offline? This is what caused me to turn
against the offending university. Their authentication box wouldn't stay
online and so I'd have to cross my fingers after a reboot to hope that
I could get back on the network.
> C) It avoids issues of changing ports. Let's say I'm in room 101, and my
> friend Bob is in room 102. I take my laptop to Bob's room and plug it into
> the network and go and do something dumb... If you hunt down my MAC address
> to a particular port, it looks like Bob is the AUP violator. If you have a
> registration system, you know that this MAC address belongs to me, not Bob.
True true that can happen, but again if I log changes I can tell that
someone unplugged their computer and so when Bob gets turned in the
judicial system will be able to question what occured...They know it may
not be him thats guilty but hopefully he will turn in the offender.
> Oh, and what about wireless networks? I have my nice 802.11b card, how do
> you propose to track that without MAC registration (or hackish VPN systems,
> which are also deployed in some campuses)?
As for wireless, well yeah we require you to register the mac off your
wireless nic. Only macs that are in the database are allowed access.
Sure you can spoof someone elses legitmate mac, but thats a different
story. At least I have someone I can blame and let him try to deny it
through the judicial system.
Cisco Certified Network Associate
"Learn from the mistakes of others. You won't live long enough to make all of them yourself."