[Gllug] Linux Hub/Switch

[Simon Wilcox]

On Tue, 23 Sep 2003, Stan wrote:

> Yes BUT once there is one infected machine inside there is nothing to
> prevent it spreading to all the others.  If they are split into blocks
> of 20 odd machines instead of one block of 300 it might help slow the
> rate until all the students get the message that they really do need
> to run windows update!

How about a different approach ?

Get a managed switch, that has telnet access and can allow you to switch 
off ports, 3Com SuperStacks can do this but there are many others.

Set up a machine running an IDS like snort and locate it somewhere where 
it can watch all the traffic on the network.

Next, write a script that runs when the ids trips. It should connect to 
the switch, resolve the ip back to a mac address, find the port the mac is 
on and switch it off ! Of course it needs to check that it is a leaf node 
if you have a heirarchy of machines and it shoudl probably email you to 
tell you what it's done.

That will very quickly lock down infected machines as soon as they start 
looking for new hosts. It has the added bonus that the user will quickly 
notice that their connection has disappeared :-)

I've contemplating this for one of my clients but they haven't stumped up 
the cash yet !!

Simon.
 



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug