FC3 Security

Wed Mar 9 19:00:12 UTC 2005

On Wed, 2005-03-09 at 10:27, Alexander Boström wrote:

> 
> In my experience unprotected printers aren't really a problem. They
> could be used for SPAM, but I doubt selling v1ª9R4 that way would work,
> and the printer would soon be moved to a private network anyway so it
> wouldn't last. And as a prank, how fun and "leet" is it to waste a
> couple of hundred papers on some printer you don't even know where it
> is?
> 
> Anyway, we're a university with 14000 students and a few thousand
> employees, and our network is very open. We try to put the printers on
> private networks, and some equipment like switches are too, but not any
> of the servers or workstations. I've never seen a NAT router anywhere,
> although I suppose there could be one somewhere. There are some blocked
> ports, but not many. We do use the software firewalls in each computer,
> though. Especially on Windows.
> 
> And no, it's not like the wild west. There are a few islands of horror
> that are being taken care of, but overall it's fine. It's not about
> firewalls, it's about knowing what you're doing.
> 

Sounds like a recipe for disaster.  IMHO any network admin that does not
segregate their network into LANs used for specific purposes and apply
firewalls between those LANs as well as out to the Internet are simply
contributing to the overall problem.  The same basic security principles
should be applied in a University setting as are applied in the business
world.  A company is just asking for problems putting their financial
servers on the same network as a host of workstations or drop in cubes. 
And have a layered set of security measures is much better than relying
on just the firewall on the server.  From the sounds of it you don't
even have a single choke point that you could monitor traffic on let
alone block some of the virus traffic that is generated on a regular
basis.  

I guess it makes sense that things have gotten so bad out there if these
same principles are applied in the real world.

University networks must be havens for spammers with policies like this.

> Yep, we've even got IPv6 up and running in a lot of the networks.
> 
> > I can understand that.  I was recommending that you buy them a firewall
> > for them to administer and run on your behalf.  But from other things
> > you have described they would not know what to do with such a device.
> 
> They'd want to buy it themselves then, so they can get what they're used
> to. They don't want to deal with a lot of different types of routers,
> firewalls and switches. It's too much work.

Of course you would buy a firewall of the type they are used to using. 
But from the description it sounds like they don't know how to spell
firewall let alone set one up.

-- 
Scot L. Harris
webid at cfl.rr.com

You'll feel much better once you've given up hope. 