FC3 Security
Aleksandar Milivojevic
amilivojevic at pbl.ca
Wed Mar 9 20:25:31 UTC 2005
Jeff Kinz wrote:
> Any IT dept that equates sshd to a server is either not up to snuff
> technically (and in a really bad way.), or they are being duplicitous.
> (Thats another word for lying)
I've heard only one side of the story about that particular IT
department (Rick's side), and reacted upon it (probably shouldn't have,
at least not without knowing the other side of the story).
However, for one thing I must agree with the IT department in question.
Allowing unrestricted connections to any service (including SSH) from
Internet isn't something that should be allowed. It isn't really
relevant if the machine is server or not.
Now, definition of server is kind of fuzzy. If machine is running a
service that accepts connections, it might be considered a server. All
depends on the definition one chooses to use. On the other hand, using
that definition, each and every Windows machine with file&printer
sharing enabled is also a server (and my guess is that file&printer
sharing is commonly used on the university type of network).
I can kind of see the mentioned IT department as having a point *if*
they are the only ones who are administering all those Windows boxes on
their network, keep them tightly closed down, with users not able to
change any system settings, with BIOS passwords to prevent users from
reinstalling machines. If users have Administrator privileges on those
Windows machines, than I can't see any reasoning behind their decision,
as long as Rick is not bugging them to troubleshoot his problems.
Another thing that puzzles me is, if the network is completely open (as
Rick said it is), and they are depending only on Windows XP firewall
feature, than what is the difference between Rick's machine and any
other host on the Internet? Sure, somebody can do more effective DoS on
local network, but other than that?
BTW, I completely agree with one comment made here. IT department
provides service. There are no "us" and "them". In corporate world, we
do whatever is needed to support bussiness needs. IT department in
university setting should be the same. If somebody needs Linux box
connected to network to do his work, IT folks shouldn't be in the way
"because we are Windows-only shop". I always considered my job
description to be "finding a way to allow people to do their work in
most efficient way, while keeping it secure".
What Rick described is completely opposite attitude that results in
restricting people in doing their work, separation to "us" and "them",
and inefficient use of resources.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list