FC3 Security

Thu Mar 10 00:09:47 UTC 2005

On Wed, 2005-03-09 at 18:42, Les Mikesell wrote:
> On Wed, 2005-03-09 at 14:38, Scot L. Harris wrote:
> > > 
> > > > The same basic security principles
> > > > should be applied in a University setting as are applied in the business
> > > > world.
> > > 
> > > Perhaps for their internal business operations, but for general access
> > > not many of the same assumptions apply - certainly not the one that
> > > says all the good guys are inside the firewall and all the bad guys
> > > are outside.
> > 
> > I never made that assumption.  That is precisely the reason to have
> > segregated networks internally, most threats in the real world come from
> > inside.
> 
> How does segregating networks help in an environment where people
> often are not physically near the machines they need to use?  A
> business might provide VPN service with crypto devices for each
> employee and have the IT staff to maintain the needed authorization
> and access control.  A university probably can't except perhaps
> for its internal business operations.
> 

By separating systems onto different LANs you create choke points where
you can control who and what protocols are allowed through.  In many
cases you can segregate systems which require no outside connection
making those very secure.

Access to systems can be limited by protocol (ssh) or by address, for
instance if a researcher needed access from their workstation to a
server that resided on a protected LAN the firewall can be configured to
only let that researchers workstation get through the firewall using
ssh.  

As you indicate additional levels of security can be layers on such as
using certificates for authentication or secure ID type devices.  If the
research being performed is worth money (and apparently some of it is
worth LOTS of money) such measures are worth it to make sure some
freshman does not destroy months worth of research costing someone
hundreds of thousands of dollars.

Of course there are always trade offs of security vs cost vs
convenience.  If the university (or any business) does not value the
data on their network and the money it brings in they will lose at some
point when their systems are compromised.  It could be costly,
embarrassing or both.  I personally would not work for a place that
remained lax in dealing with security on their networks.  They are
asking for problems.  

I suspect that the situation is not that bad, at least I hope not.  If
it is then I suspect this particular university will be identified and
the hackers will have started scanning for unsecured systems sometime
later tonight.

-- 
Scot L. Harris
webid at cfl.rr.com

Neil Armstrong tripped. 