FC3 Security

Rick Bilonick rab at nauticom.net
Wed Mar 9 13:07:02 UTC 2005 

Alexander Boström wrote:

>tis 2005-03-08 klockan 23:58 -0500 skrev Rick Bilonick: 
>
>  
>
>>The data center would go ballistic if I used a router to set up a local 
>>lan with a firewall. (The unversity frowns on connecting routers and 
>>hubs to the network. It  wants one computer for each port/ip address. I 
>>think this is somewhat silly but what can I do?)
>>    
>>
>
>That is actually the most sane rule of all the rules that your IT
>department has imposed on the network. When they see a threat on the
>network the want to be able to 1) know the MAC of the infected, cracked
>or abused computer, 2) analyse the traffic and 3) pull the plug on the
>computer without loosing an entire office with many other computers
>along with it. Hence, they want to be in control over the routers and
>switches. That is sane.
>
>It is also somewhat understandable that they want to be in control over
>what runs on the computers. This allows them to make sure the computers
>are fully updated with the latest patches etc. However, this is not
>always practical because the needs of the users vary a lot. A Windows-
>only policy will definitely limit the available tools, which will very
>likely be a problem in a university setting. The curriculum of the
>students might be adapted to the available tools, but the researchers
>need some flexibility to do their job. If the systems offered by the IT
>department doesn't provide what you need to be able to do your job, then
>they must allow you to manage your own computers. If that requires them
>to somehow reorganise the network to feel safe, then so be it.
>
>What the people who manage the network should to is to actually meet
>with the people who use the network, get to know them and get a feel for
>who is capable of managing their own computers, regardless of the
>operating system. Some people really should be placed in front of a
>locked-down computer with no root/admin access, while some know what
>they're doing and can work with the network owners to keep it free from
>infection. Sometimes accidents will happen anyway, but as long as it's
>rare it something you can live with.
>
>Sometimes a single computer managed by its only user can grow
>organically to a set of servers and workstations managed by a sysadmin,
>which can then move up to the IT dept. and the computer system provided
>as a solution to the whole organisation, thus replacing a bunch of other
>user-managed single computers here and there. This is much more
>desirable than to just crush any non-sanctioned computer use.
>
>Buying a separate DSL seems like a waste of money, caused by a problem
>within the organisation.
>
>/Alexander Boström,
>University sysadmin.
>
>
>  
>
I agree completely. Unfortunately, we seem to work for the benefit of 
the data center IT group. They never ask our needs. There motto is: one 
size fits all. The thing is, it's my bad luck to have an office in the 
data center. Otherwise, I have no connection to the data center.

Rick B.

More information about the fedora-list mailing list