Title: Windows in HiEd Conference
1Windows in Hi-Ed Conference
- NetReg and the Automated Virus Cleaning and
Security Patching Process
Monday, April 25, 2005
Matt Kramer, Analyst/ConsultantInformation
TechnologyBoston Universitykramer_at_bu.edu617-353
-8232
2Boston University
- Founded in 1839 4th largest independent
university in US. - 132 acres 348 buildings 465 classrooms.
- 11,000 residents 28,300 students 3,400
faculty 5,500 staff 230,000 living alumni. - 17 schools and colleges.
3Aerial View Boston University
Boston University
Fenway Park
4ResNet Facts
- 10th largest undergraduate housing system in the
US. - Number of beds on campus 10,781.
- ResNet subscription includes one 10Mb network
jack per pillow. - Average Internet traffic from ResNet is around
180Mbps out and 130Mbps in. - Current total NetReg entries 16,000.
- NetReg first deployed at BU during Fall 2002
automatic certification first deployed Fall 2004.
5Goals for implementing NetReg
- Provide a one to one association between a
computer and a user. - Enforcement of computer ethics
- and acceptable use policy.
- Allow for the ability to charge a ResNet fee.
- Quicker resolution of security events due to
virus infections, DMCA and abuse cases.
6What is NetReg?
- First developed by Southwestern University in
1999. - http//www.netreg.org
- Network Registration system uses DHCP, DNS/BIND
and HTTP. - Easy to Use
- Perl-CGI driven.
- MySQL Back-End.
- Web Interface for help desk support.
7NetReg Basics
- Based on Network MAC Address.
- DHCP server has two pools.
- If MAC is known. DHCP assigns a real IP and
real DNS servers. - If MAC is unknown. DHCP assigns a private IP
and the broken DNS servers. - Private DNS server is configured with a fake
root that resolves all name queries to the NetReg
web server. - Switch ACLs used to limit access from the
private IP space to only a specific list of
NetReg servers.
8NetReg - Process
- User jacks into the network for first time.
- DHCP server hasnt seen the MAC address and
assigns a private IP - User browses web and is forced to NetReg
registration page. Username is associated with
MAC and recorded in the NetReg database - OS is detected by JavaScript and browser string.
- Non-Windows
- MAC is put into DHCP allowed list and user is
given a public IP - Windows
- Certification process (BUVS) is run locally on
PC. - BUVS reports results back to NetReg.
- If success code is sent, MAC is put into DHCP
allowed list and - the machine is allowed onto the public
network. - If failure, help desk intervention is required to
certify machine.
9NetReg Welcome Page
10NetReg User Authentication
11NetReg Registration Page
12NetReg BUVS Certification.
13NetReg Flow
Set Registered state to R in NetReg database.
DHCP request sent.
Client DHCP release / renew.
Update DHCP servers with MAC.
Non-Windows
Redirect to NetReg registration page. Provide
username and password.
Assign private IP.
Set Registered State to P in NetReg database.
Detect OS
Is MAC known
No
Windows
Yes
Is state U
Yes
NetReg state is R
Download and run BUVS on client.
Did BUVS succeed
Helpdesk intervention needed.
No
No
Is state P
Yes
Yes
NetReg States U Unknown MAC, never been
registered. P Pre-registered. In database, but
has not successfully finished BUVS. Q
Quarantined. Kicked off network due to
DMCA, Virus or other reasons. R Registered and
Active
User is registered and not in violation. Assign
normal IP.
No
Is state Q
Go to quarantined URL.
Yes
14Boston University Virus and Security Tool (BUVS)
- Purpose
- Provide an automated way to certify a PC before
granting general network access. - Help clean up an ever growing population of virus
infected machines. - Provide a Help Desk support tool to help minimize
the number of PCs that might require hands-on
assistance.
15BUVS What does it do?
- Turns on ICF and schedules automatic updates!
- If necessary, requires Administrator password
change. - Force the installation of missing Service Packs.
- Scans for and automatically installs any missing
Microsoft security patches. - Downloads latest virus definitions from McAfee.
- Boots into Safe Mode and runs a one-time virus
scan using McAfee VirusScan command line version. - Reports results back to the NetReg server,
allowing automatic release of the PC onto the
"public" network.
16BUVS Administrator Password
- Force change of weak passwords.
17Download Microsoft Updates
- Connect to internal server for list of available
patches. - Verify at correct Service Pack Level.
18Scan and Install Missing Patches
- Scan for patches using hfnetchk.
- Display a list of all missing patches.
19Patch Download Process
- Patches downloaded from internal SUS server.
- Reasons for use of SUS server.
- allows for automatic downloading of new patches.
- support for multiple languages.
20Download Virus Definitions
- Connect to NAI and download latest virus
definitions and scanner. - A Web proxy provides access to NAI Web sites from
the limited access, private network.
21Boot into Safe Mode
22Safe Mode VirusScan
- Remove Temporary
- IE Cache.
- Force the scan to finish by disabling the close
button.
23Safe Mode VirusScan Results
- Scan the VirusScan log file
- for results and display to the User.
24Send Status Code to NetReg
- If PC is virus free and fully patched then
release from network jail. - Send BUVS log file to Exchange public folder.
- Send Encrypted Status Code to NetReg Server.
- Release and Renew Client DHCP.
25Success!
- The virus-free and fully patched PC is granted
access to the network.
26BUVS Exchange Public Folder
27Statistics for Fall 2004
- 12,054 users ran BUVS
- OS break down
- Windows XP (91.03) Windows 2000 (2.45)
- Windows 9x (6.46) Windows NT (0.06)
- Infections
- 2,930 (24.31) machines were infected with a
total of 41,639 viruses. - Over 200 unique virus types.
- Patches
- 43.95 of the machines were missing two or more.
- 59,396 patches were installed.
- Average BUVS run time 41min and 8sec
- Total files scanned for viruses 941,987,563.
28Problems
- NetReg
- Static IPs.
- Remote Connections.
- Guest Access.
- BUVS
- Service Pack Failures.
- Virus Scan Failures.
- Spyware.
- Real-time Certification.
29Thanks for your attention!
- Any questions?
- My Info
- Matt Kramer
- Boston University
- kramer_at_bu.edu
- 617-353-8232