FC3 Security

Jason Powers powers.jason at jimmy.harvard.edu
Thu Mar 10 00:15:19 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry to hear of your trouble, Rick. We have a larger scale but similar
situation here, we run the lan but not the routers, dhcp or dns, which
makes things a little difficult when we want to run terminals and such,
and there's no way we can run anything accessible from outside. Sad
thing is we own all the hardware, too, just let someone else manage it
(in return for free bandwidth. Oceans of free bandwidth).

I think that if you are doing this on your own, at your own or your
grant's expense, I would look into grabbing some hosting at a place like
openhosting.com. It's enough of a linux box for most of your needs and
it won't piss off the admins, and you're not paying the $100+ it would
run you for a whole dedicated box.

On the whole Alexander nailed it, you'll never get to run your own
router or anything on that network. They have the IPs, they make the
rules, and one IP per machine is not unreasonable.

While we're talking about it, be careful not to turn the bridge
connector on in your laptop, either. The router spots the packets and
shuts it off like it was a router. We've already run into this about 5
times with visiting scholars.

Jason Powers


Rick Bilonick wrote:
| Alexander Boström wrote:
|
|> tis 2005-03-08 klockan 23:58 -0500 skrev Rick Bilonick:
|>
|>
|>> The data center would go ballistic if I used a router to set up a
|>> local lan with a firewall. (The unversity frowns on connecting
|>> routers and hubs to the network. It  wants one computer for each
|>> port/ip address. I think this is somewhat silly but what can I do?)
|>>
|>
|>
|> That is actually the most sane rule of all the rules that your IT
|> department has imposed on the network. When they see a threat on the
|> network the want to be able to 1) know the MAC of the infected, cracked
|> or abused computer, 2) analyse the traffic and 3) pull the plug on the
|> computer without loosing an entire office with many other computers
|> along with it. Hence, they want to be in control over the routers and
|> switches. That is sane.
|>
|> It is also somewhat understandable that they want to be in control over
|> what runs on the computers. This allows them to make sure the computers
|> are fully updated with the latest patches etc. However, this is not
|> always practical because the needs of the users vary a lot. A Windows-
|> only policy will definitely limit the available tools, which will very
|> likely be a problem in a university setting. The curriculum of the
|> students might be adapted to the available tools, but the researchers
|> need some flexibility to do their job. If the systems offered by the IT
|> department doesn't provide what you need to be able to do your job, then
|> they must allow you to manage your own computers. If that requires them
|> to somehow reorganise the network to feel safe, then so be it.
|>
|> What the people who manage the network should to is to actually meet
|> with the people who use the network, get to know them and get a feel for
|> who is capable of managing their own computers, regardless of the
|> operating system. Some people really should be placed in front of a
|> locked-down computer with no root/admin access, while some know what
|> they're doing and can work with the network owners to keep it free from
|> infection. Sometimes accidents will happen anyway, but as long as it's
|> rare it something you can live with.
|>
|> Sometimes a single computer managed by its only user can grow
|> organically to a set of servers and workstations managed by a sysadmin,
|> which can then move up to the IT dept. and the computer system provided
|> as a solution to the whole organisation, thus replacing a bunch of other
|> user-managed single computers here and there. This is much more
|> desirable than to just crush any non-sanctioned computer use.
|>
|> Buying a separate DSL seems like a waste of money, caused by a problem
|> within the organisation.
|>
|> /Alexander Boström,
|> University sysadmin.
|>
|>
|>
|>
| I agree completely. Unfortunately, we seem to work for the benefit of
| the data center IT group. They never ask our needs. There motto is: one
| size fits all. The thing is, it's my bad luck to have an office in the
| data center. Otherwise, I have no connection to the data center.
|
| Rick B.
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCL5GXTYWmZxo5gP0RAonlAJ9YYDpIGi5eY2K2PDUtGBPYQleFowCeNryV
dLooCluRfwPAXBWypKvRVJk=
=N/Br
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list