FC3 Security

Wed Mar 9 04:58:06 UTC 2005

Scot L. Harris wrote:

>On Tue, 2005-03-08 at 23:10, Rick Bilonick wrote:
>  
>
>>I'm have a half-million dollar grant for research and with some of this 
>>money I recently assembled a computer with dual opteron processors, 2gb 
>>of memory, 240 gb of hard drive, and 500 gb for a raid disk array. The 
>>computer will be doing some heaving duty number crunching (using R and 
>>other open source software). I installed FC3 (64-bit) without any 
>>problems, applied to the university computer dept. for an IP address 
>>(and received an IP) for one of the ports in my office and started 
>>working. The next day the "local" IT dept. (such as it is) for the "data 
>>center" told me I had to disconnect from the port as my computer was a 
>>"risk" to their data center. First they said that because my computer 
>>was connected to the same subnet as the data center that this computer, 
>>if hacked, would pose a threat to their computers. They consider my 
>>computer to be a "server" because I was using ssh to connect remotely to 
>>it. When I said I would eliminate ssh, then they said that they don't 
>>support Linux systems and won't allow it to be connected. If they don't 
>>control the computer (by installing Windows XP), then the computer is a 
>>threat to their system because it is on the same subnet. (The university 
>>gives out IP addresses and actually owns the network. Various 
>>departments and groups rent ports.)
>>    
>>
>
>Any system if hacked poses a threat to the data center.  ssh is
>recommended to use when accessing system over say telnet so that
>reasoning does not make sense.
>
>  
>
>>Is there any truth to what the IT people are saying or are they simply 
>>insane (or control freaks or both)?
>>
>>    
>>
>
>Sounds like who ever is telling you this is either parroting "official
>policy" or does not understand how to setup a network.
>
>  
>
>>In the next couple of days I will be speaking with the department head 
>>(the data center is a small part of the department and my grant is 
>>totally independent of the data center). If I can't get her to see 
>>reason and force the data center to act reasonably, I think I have the 
>>following options for connecting my FC3 computer to the Internet:
>>
>>1) get a separate project office outside of the data center 
>>(inconvenient to have two offices blocks or farther apart),
>>
>>2) get a DSL data line installed (about $130/month for 512K - kind of 
>>expensive),
>>
>>3) use Verizon Wireless Broadband (very fast [512K], $80/month - not 
>>cheap but I could take the PC 5220 card out and use in the evenings and 
>>weekends),
>>
>>4) take the computer and 20 in lcd monitor home, connect it to the DSL 
>>line, and do the work at home.
>>
>>What would you recommend? If I'm going to complete this project on time, 
>>I can't have any more time wasted. So I need to get this resolved.
>>    
>>
>
>The quickest solution is to take the system home and work from there.
>
>The IT department should, if they are so concerned about security, setup
>a LAN that is firewalled off from the data center where they can connect
>users systems.  On that LAN they would need to provide some minimal set
>of services which could be handled by one server and a firewall.  The
>server would provide DHCP, NTP, DNS, and other basic network services. 
>The firewall would provide the connection out to the Internet and
>separate their data center from "suspect" systems.  
>
>I would only consider wireless if you can make sure you use ssh or VPN
>type connections.  WEP is not secure enough IMHO.
>
>In your place I would make friends with upper management in the IT
>department and get the low down on their internal processes.  Possibly
>offering to buy a firewall that would be used to setup a secured LAN for
>your use or something along those lines.  Just make sure you run
>iptables and only install services exposed to the network that you
>really need and use.  Possibly explain the security you are using on the
>system to your new friend in IT would help as well.
>
>As I said, in the short term working from home is going to be the
>quickest solution.  Working through the bureaucracy can take a lot of
>time until you make friends with the right person.  And yelling and
>screaming will not get you any where.  It may actually make them even
>less willing to work with you.
> 
>  
>
Here are some additional details. The local IT for the data center has 
no central firewall. Each computer is on it's own and has to run a 
firewall. (The data center could use a firewall but it would have to be 
maintained by the university - and the data center doesn't want to have 
to deal with the university running a firewall for them.) Also, all the 
printers are available to anyone who knows their IP address - they don't 
sit behind any firewall. (This is SOOOO different from my previous 
position in the corporate world where all the computers and printers 
were behind a firewall.)

The data center would go ballistic if I used a router to set up a local 
lan with a firewall. (The unversity frowns on connecting routers and 
hubs to the network. It  wants one computer for each port/ip address. I 
think this is somewhat silly but what can I do?)

So far, all the yelling and screaming is from the data center directed 
at me. (I don't work for the data center - my appointment is in the 
department. I just happen to have an office located in what is called 
the data center.)

The home solution has it's merits. But what is wrong with Verizon 
Wireless Broadband? This is an always-on cellular connection - not 
wireless ethernet type connection. I'm not sure though whether I would 
be able to ssh into the computer although my biggest concern is 
connecting to the Internet from the computer. I do know that the 
business DSL line, while expensive, would allow me to deliver web pages 
and use ssh etc.

Unfortunately, the data center IT dept. consists only of a couple of 
individuals who seem intent on preventing me from doing my work. They 
were very irritated that I bought computer equipment without consulting 
them and that I contacted the university IT people. (The university IT 
have no concerns about me connecting my computer. I had no problem 
getting an IP address from them and they will sell me a port if I want 
one.) Why they care is beyond me since I'm not funding them through my 
grant so any "help" they would give would be at their expense.

Thanks for your thoughts.

Rick B.