FC3 Security
Rick Bilonick
rab at nauticom.net
Wed Mar 9 04:58:06 UTC 2005
Scot L. Harris wrote:
>On Tue, 2005-03-08 at 23:10, Rick Bilonick wrote:
>
>
>>I'm have a half-million dollar grant for research and with some of this
>>money I recently assembled a computer with dual opteron processors, 2gb
>>of memory, 240 gb of hard drive, and 500 gb for a raid disk array. The
>>computer will be doing some heaving duty number crunching (using R and
>>other open source software). I installed FC3 (64-bit) without any
>>problems, applied to the university computer dept. for an IP address
>>(and received an IP) for one of the ports in my office and started
>>working. The next day the "local" IT dept. (such as it is) for the "data
>>center" told me I had to disconnect from the port as my computer was a
>>"risk" to their data center. First they said that because my computer
>>was connected to the same subnet as the data center that this computer,
>>if hacked, would pose a threat to their computers. They consider my
>>computer to be a "server" because I was using ssh to connect remotely to
>>it. When I said I would eliminate ssh, then they said that they don't
>>support Linux systems and won't allow it to be connected. If they don't
>>control the computer (by installing Windows XP), then the computer is a
>>threat to their system because it is on the same subnet. (The university
>>gives out IP addresses and actually owns the network. Various
>>departments and groups rent ports.)
>>
>>
>
>Any system if hacked poses a threat to the data center. ssh is
>recommended to use when accessing system over say telnet so that
>reasoning does not make sense.
>
>
>
>>Is there any truth to what the IT people are saying or are they simply
>>insane (or control freaks or both)?
>>
>>
>>
>
>Sounds like who ever is telling you this is either parroting "official
>policy" or does not understand how to setup a network.
>
>
>
>>In the next couple of days I will be speaking with the department head
>>(the data center is a small part of the department and my grant is
>>totally independent of the data center). If I can't get her to see
>>reason and force the data center to act reasonably, I think I have the
>>following options for connecting my FC3 computer to the Internet:
>>
>>1) get a separate project office outside of the data center
>>(inconvenient to have two offices blocks or farther apart),
>>
>>2) get a DSL data line installed (about $130/month for 512K - kind of
>>expensive),
>>
>>3) use Verizon Wireless Broadband (very fast [512K], $80/month - not
>>cheap but I could take the PC 5220 card out and use in the evenings and
>>weekends),
>>
>>4) take the computer and 20 in lcd monitor home, connect it to the DSL
>>line, and do the work at home.
>>
>>What would you recommend? If I'm going to complete this project on time,
>>I can't have any more time wasted. So I need to get this resolved.
>>
>>
>
>The quickest solution is to take the system home and work from there.
>
>The IT department should, if they are so concerned about security, setup
>a LAN that is firewalled off from the data center where they can connect
>users systems. On that LAN they would need to provide some minimal set
>of services which could be handled by one server and a firewall. The
>server would provide DHCP, NTP, DNS, and other basic network services.
>The firewall would provide the connection out to the Internet and
>separate their data center from "suspect" systems.
>
>I would only consider wireless if you can make sure you use ssh or VPN
>type connections. WEP is not secure enough IMHO.
>
>In your place I would make friends with upper management in the IT
>department and get the low down on their internal processes. Possibly
>offering to buy a firewall that would be used to setup a secured LAN for
>your use or something along those lines. Just make sure you run
>iptables and only install services exposed to the network that you
>really need and use. Possibly explain the security you are using on the
>system to your new friend in IT would help as well.
>
>As I said, in the short term working from home is going to be the
>quickest solution. Working through the bureaucracy can take a lot of
>time until you make friends with the right person. And yelling and
>screaming will not get you any where. It may actually make them even
>less willing to work with you.
>
>
>
Here are some additional details. The local IT for the data center has
no central firewall. Each computer is on it's own and has to run a
firewall. (The data center could use a firewall but it would have to be
maintained by the university - and the data center doesn't want to have
to deal with the university running a firewall for them.) Also, all the
printers are available to anyone who knows their IP address - they don't
sit behind any firewall. (This is SOOOO different from my previous
position in the corporate world where all the computers and printers
were behind a firewall.)
The data center would go ballistic if I used a router to set up a local
lan with a firewall. (The unversity frowns on connecting routers and
hubs to the network. It wants one computer for each port/ip address. I
think this is somewhat silly but what can I do?)
So far, all the yelling and screaming is from the data center directed
at me. (I don't work for the data center - my appointment is in the
department. I just happen to have an office located in what is called
the data center.)
The home solution has it's merits. But what is wrong with Verizon
Wireless Broadband? This is an always-on cellular connection - not
wireless ethernet type connection. I'm not sure though whether I would
be able to ssh into the computer although my biggest concern is
connecting to the Internet from the computer. I do know that the
business DSL line, while expensive, would allow me to deliver web pages
and use ssh etc.
Unfortunately, the data center IT dept. consists only of a couple of
individuals who seem intent on preventing me from doing my work. They
were very irritated that I bought computer equipment without consulting
them and that I contacted the university IT people. (The university IT
have no concerns about me connecting my computer. I had no problem
getting an IP address from them and they will sell me a port if I want
one.) Why they care is beyond me since I'm not funding them through my
grant so any "help" they would give would be at their expense.
Thanks for your thoughts.
Rick B.
More information about the fedora-list
mailing list