FC3 Security

Scot L. Harris webid at cfl.rr.com
Wed Mar 9 04:31:58 UTC 2005 

On Tue, 2005-03-08 at 23:10, Rick Bilonick wrote:
> I'm have a half-million dollar grant for research and with some of this 
> money I recently assembled a computer with dual opteron processors, 2gb 
> of memory, 240 gb of hard drive, and 500 gb for a raid disk array. The 
> computer will be doing some heaving duty number crunching (using R and 
> other open source software). I installed FC3 (64-bit) without any 
> problems, applied to the university computer dept. for an IP address 
> (and received an IP) for one of the ports in my office and started 
> working. The next day the "local" IT dept. (such as it is) for the "data 
> center" told me I had to disconnect from the port as my computer was a 
> "risk" to their data center. First they said that because my computer 
> was connected to the same subnet as the data center that this computer, 
> if hacked, would pose a threat to their computers. They consider my 
> computer to be a "server" because I was using ssh to connect remotely to 
> it. When I said I would eliminate ssh, then they said that they don't 
> support Linux systems and won't allow it to be connected. If they don't 
> control the computer (by installing Windows XP), then the computer is a 
> threat to their system because it is on the same subnet. (The university 
> gives out IP addresses and actually owns the network. Various 
> departments and groups rent ports.)

Any system if hacked poses a threat to the data center.  ssh is
recommended to use when accessing system over say telnet so that
reasoning does not make sense.

> Is there any truth to what the IT people are saying or are they simply 
> insane (or control freaks or both)?
> 

Sounds like who ever is telling you this is either parroting "official
policy" or does not understand how to setup a network.

> In the next couple of days I will be speaking with the department head 
> (the data center is a small part of the department and my grant is 
> totally independent of the data center). If I can't get her to see 
> reason and force the data center to act reasonably, I think I have the 
> following options for connecting my FC3 computer to the Internet:
> 
> 1) get a separate project office outside of the data center 
> (inconvenient to have two offices blocks or farther apart),
> 
> 2) get a DSL data line installed (about $130/month for 512K - kind of 
> expensive),
> 
> 3) use Verizon Wireless Broadband (very fast [512K], $80/month - not 
> cheap but I could take the PC 5220 card out and use in the evenings and 
> weekends),
> 
> 4) take the computer and 20 in lcd monitor home, connect it to the DSL 
> line, and do the work at home.
> 
> What would you recommend? If I'm going to complete this project on time, 
> I can't have any more time wasted. So I need to get this resolved.

The quickest solution is to take the system home and work from there.

The IT department should, if they are so concerned about security, setup
a LAN that is firewalled off from the data center where they can connect
users systems.  On that LAN they would need to provide some minimal set
of services which could be handled by one server and a firewall.  The
server would provide DHCP, NTP, DNS, and other basic network services. 
The firewall would provide the connection out to the Internet and
separate their data center from "suspect" systems.  

I would only consider wireless if you can make sure you use ssh or VPN
type connections.  WEP is not secure enough IMHO.

In your place I would make friends with upper management in the IT
department and get the low down on their internal processes.  Possibly
offering to buy a firewall that would be used to setup a secured LAN for
your use or something along those lines.  Just make sure you run
iptables and only install services exposed to the network that you
really need and use.  Possibly explain the security you are using on the
system to your new friend in IT would help as well.

As I said, in the short term working from home is going to be the
quickest solution.  Working through the bureaucracy can take a lot of
time until you make friends with the right person.  And yelling and
screaming will not get you any where.  It may actually make them even
less willing to work with you.
 
-- 
Scot L. Harris
webid at cfl.rr.com

Your reasoning is excellent -- it's only your basic assumptions that are wrong.

More information about the fedora-list mailing list