FC3 Security

Rick Sewill rsewill at cableone.net
Wed Mar 9 21:41:07 UTC 2005 

On Wed, Mar 09, 2005 at 02:25:31PM -0600, Aleksandar Milivojevic wrote:
> Jeff Kinz wrote:
> >Any IT dept that equates sshd to a server is either not up to snuff
> >technically (and in a really bad way.), or they are being duplicitous.
> >(Thats another word for lying)
> 
> I've heard only one side of the story about that particular IT 
> department (Rick's side), and reacted upon it (probably shouldn't have, 
> at least not without knowing the other side of the story).
> 
> However, for one thing I must agree with the IT department in question. 
>  Allowing unrestricted connections to any service (including SSH) from 
> Internet isn't something that should be allowed.  It isn't really 
> relevant if the machine is server or not.
> 
> Now, definition of server is kind of fuzzy.  If machine is running a 
> service that accepts connections, it might be considered a server.  All 
> depends on the definition one chooses to use.  On the other hand, using 
> that definition, each and every Windows machine with file&printer 
> sharing enabled is also a server (and my guess is that file&printer 
> sharing is commonly used on the university type of network).
> 
> I can kind of see the mentioned IT department as having a point *if* 
> they are the only ones who are administering all those Windows boxes on 
> their network, keep them tightly closed down, with users not able to 
> change any system settings, with BIOS passwords to prevent users from 
> reinstalling machines.  If users have Administrator privileges on those 
> Windows machines, than I can't see any reasoning behind their decision, 
> as long as Rick is not bugging them to troubleshoot his problems.
> 
> Another thing that puzzles me is, if the network is completely open (as 
> Rick said it is), and they are depending only on Windows XP firewall 
> feature, than what is the difference between Rick's machine and any 
> other host on the Internet?  Sure, somebody can do more effective DoS on 
> local network, but other than that?
> 
> BTW, I completely agree with one comment made here.  IT department 
> provides service.  There are no "us" and "them".  In corporate world, we 
> do whatever is needed to support bussiness needs.  IT department in 
> university setting should be the same.  If somebody needs Linux box 
> connected to network to do his work, IT folks shouldn't be in the way 
> "because we are Windows-only shop".  I always considered my job 
> description to be "finding a way to allow people to do their work in 
> most efficient way, while keeping it secure".
> 
> What Rick described is completely opposite attitude that results in 
> restricting people in doing their work, separation to "us" and "them", 
> and inefficient use of resources.
> 

I shouldn't comment, not knowing the facts.

Curiosity is getting the better of me.

As others have suggested, I think Rick should work from home where he
has more control.

What other types of Internet access does Rick plan to use from his
Linux box besides using an sshd so he can connect from home?

I read, from a previous message, Rick has a half a million dollar
grant to do research.  If his grant is important to him, I would have
expected him to ask what security measures are taken so his research
is not disturbed or interrupted.  Having a secure computer is hardly
sufficient these days.  The network one is connected to has to work
reliably with a reasonable expectation of performance too.  

I would have expected other researchers to have similar requirements
that their research not be disturbed or interrupted.  I would find out
what other researchers did (or didn't do).

I would ask for a security audit of the data center so any weaknesses
they may have can be uncovered and corrected.  I.e., the data center
should be able to prove it provides a secure environment for doing
valuable research.

I would expect the IT people in the data center to welcome an audit.

The data center will get added, sounds like much needed, visibility.

Hopefully, as a result of a security audit, some of the suggestions
others have made, such as having firewalls, putting information
needing greater security on separate subnets with firewall/routers
separating the subnets, having DMZ zones with firewalls standing
between not only the DMZ zones and the internal networks, but also
between the DMZ zones and the Internet.

How much would it cost to do a security audit?
How much would a reasonable firewall/router cost these days?
How much would it cost to have separate wiring for the subnets?
What other costs would be involved?
Who would pay these costs?

I have no idea what these suggestions cost.  It's easy to make
suggestions when one is not paying the bills.  

It surprises me, if accurate, that communication with the IT people
from the data center is this sour.  If the IT people are truly to
blame, I would find out who funds the data center.  Rick is obviously
not the "customer" providing funding to the data center.  The people
who matter are the people who provide the funding.  They may or may
not be the management that oversees the data center.  The management
will save complaints for later review when it's time to evaluate data
center employees.  I believe the action of management depends, not
only on the substance of the complaint, but unfortunately and more
importantly, on who made the complaint.

The people who provide the funding, the true "customers" of the data
center, might or might not be sympathetic to Rick's complaints.
Decades ago, I saw how quickly management and IT people could jump
when a very important customer, this one provided lots of funds, was
about to sneeze.  It's amazing how barriers and problems became
trivial.  It's amazing how, suddenly, money was no object.

One person pointed out Rick should go to the head of his research
department.  A graduate student's complaint probably doesn't count as
much as a tenured professor's.

It would be interesting to hear the side of the IT people from the
data center.  They sound like they have limited funds.  They may not
be able to adequately protect the "data" and resources at their data
center.  One hopes the funds spent for security are, in some way,
proportional to the value of the data and the value of the resources
being protected.  Perhaps, the IT people at the data center need more
visibility to get more funds and resources to do their job better.

One hopes the data center and the university take adequate security
measures before their PCs become part of a large botnet.  Perhaps,
they could weather the bad publicity if their PCs were used for
criminal purposes.  Perhaps, there wouldn't be as many financial and
legal repercussions if they could show they had done their best to
prevent such an occurrence.  Perhaps, if they pro actively do a
security audit and take remedial action now, they will avoid much pain
and embarrassment later.

Just my two cents.  

Not knowing the facts or paying their bills, I should talk....
I should keep quiet now.

-- 
Rick Sewill                      Phone/FAX: +1-218-287-1075
E-mail: rsewill at cableone.net    Cell Phone: +1-701-866-0266

More information about the fedora-list mailing list