Jason’s musings

I just need a little time

To be on a cruddy campus network

leave a comment »

What’s been bugging me lately?

The disappointing residence network setup in TCD. They decided to use NAC (Network Access Control) technology to ensure “endpoint compliance” (manufacturer buzzword). What does that mean? It means that computers that want to connect to the network are placed in a quarantined VLAN and have to run software to check their computer for patches, anti-virus, etc. Next, on every boot, you are in another quarantined VLAN and must authenticate using your username and password, which then switches you to a more open VLAN (although it is still a private network). Also, periodically, you are placed on yet another VLAN and must ‘remediate’ using the software, again checking for patches and anti-virus, almost the same thing as registering.

In theory, like all things, it sounds like a great idea. Enabling people to connect themselves to the network. However, there are many problems with the system, and last weekend I had no net access because of it.

Let’s begin with registration, the software ‘works’ on windows, mac, and linux. Personally, I run a linux box on the network, and the software is actually just a script, which contains within it a gzipped binary! Once the script is run, it deletes itself! The binary is i386, and therefore cuts out all other users of linux systems (even amd64 if they don’t have 32 bit glibc). Last week, I had to remediate using the script, so I thought I’d run it in a knoppix virtual machine, as I definately do not want to be running random binarys on my authenticated software only Ubuntu box. I decided to do a packet trace of what it does:

GET /remediation/common/SMARegistration.jsp?regMethod=LDAP&uid=[intentionally blaned]&defaultUrl=http://NESSUS1:8080/remediation/Success.html&hw_ip=&mac=[intentionally blaned]&hw_desc=eth1&hw_ip=&mac=[intentionally blaned]&hw_desc=eth0&&hw_name=localhost&os=Linux%202%2E6%2E15-27-amd64-k8%20%231%20SMP%20PREEMPT%20Sat%20Sep%2016%2001%3A57%3A42%20UTC%202006%20x86_64&deviceDesc=Linux+Client&serverIP=tcd-rem.org HTTP/1.0

User-Agent: BSC Agent
Yes, that’s right, all it does it send a HTTP GET request! That request then sends back a status html page which is displayed in a web browser.

This means that anyone could simply just send a well formed request and be registered/remediated, even if their box is a malware infested windows machine. In my opinion, this is not security. Sure, perhaps users with viruses won’t ever know this, but that’s still security by obscurity.

My own problem was that the mac address the script sent back would be different from that I registered with, and that seemed to confuse the crapware that the system runs. Thankfully however, the computing service people are very friendly and the problem got solved.

There are many more complaints about NAC technology being a network manager rather than a security system

The vendor that our people went with is Bradford networks (take a look at the other Universities that use them, not exactly world class). I don’t want to know how much it cost. Strangely, I think they might be ripping off Cisco, as the software they provide is called CSA.exe/CSA.sh which is quite similar to Cisco security agent.

Ok, so other than it not being secure, and troublesome in fringe cases, what is wrong with the system for the average user. Well, the authorization system is a big pain in the butt, every time you boot your computer, you must sign in, and wait almost a minute for the VLAN to be switched and to be assigned a new IP address. It would be interesting to calculate the collective amount of time wasted waiting to connect to the network. That is not what computing is about.

Some other complaints about computing in college:

  • Requiring XP Professional, but not even using active directory (do they have some sinister deal with Microsoft?)
  • Switching from open source well performing products to expensive one-box appliance solutions, for instance the proxy server went from Squid to a Blue Coat systems proxy
  • Sending email off to Microsoft to be scanned for spam, again expensive
  • Tiny email quotas 60MB (compare with Google Mail’s ~3000MB and it’s a free service)
  • Restrictive firewall rules, yet they still allow all udp traffic inbound
  • Being very restrictive about who can have a website under the trinity subdomain. Compare with say http://www-tech.mit.edu (although this might be related to awful Irish libel laws)
  • Not evaluating Vista (even though it came out last November), and requesting manufacturers to supply laptops to students with XP

So, what is the major problem here?

If Trinity seriously considers itself to be a world class University, then it needs to start acting more like one in terms of internal infrastructure. Spending lots of money on third party solutions just doesn’t really cut it. I don’t know how good the is service people are at their jobs, but what I definately think is needed is to divert the money to bring in some top notch network engineers, and act a little more like the bigger Universities do.

Update: They now plan to roll the service out to the wireless network (which is already based on LEAP ANYWAY!); to enable lusers to connect without attending a ‘clinic’ (their jargon, which happens to be a member of the HELPDESK institute, what ever the fuck that is). This is even more shit, as often around campus, one wants to just flip open the laptop to check something real quick. Bastards.

Incidentally, LEAP is an unsecure bitch. I’d use another system, but they only use Cisco, and Cisco use LEAP, so I’m forced to be potentially realeasing my username and password evertime I connect. What fucking good is a NAC in that scenario anyway. Stupid fucks.

I used quite a lot of swearwords there, but I have to show my now comtempt for the situation. If an attacker gets my username and password, it would basically allow them to completely steal my identity, within and without college.

Advertisements

Written by jasonmc

February 5, 2007 at 11:59 pm

Posted in Computing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: