FC3 Security

[Jeff Kinz]

On Wed, Mar 09, 2005 at 02:25:31PM -0600, Aleksandar Milivojevic wrote:
> Jeff Kinz wrote:
> > Any IT dept that equates sshd to a server is either not up to snuff
> > technically (and in a really bad way.), or they are being duplicitous.
> > (Thats another word for lying)
> 
> I've heard only one side of the story about that particular IT 
> department (Rick's side), and reacted upon it (probably shouldn't have, 
> at least not without knowing the other side of the story).
> 
> However, for one thing I must agree with the IT department in question. 
>   Allowing unrestricted connections to any service (including SSH) from 
> Internet isn't something that should be allowed.  It isn't really 
> relevant if the machine is server or not.

Yes, Excepting servers whose defined function is to accept any 
connection from anywhere, like Google's port 80.

> Now, definition of server is kind of fuzzy.  

I might have agreed with that statement until I saw Rick Steven's email.

Now I feel that "server" alone always implies server "machine",
a machine whose _primary_ function, is providing services to clients.

It is, as you state below, a choice of definitions, but upon examination
I see that in IT usage "server" always seems to mean a specific machine,
not a process so I'm putting my vote that way (if anyone's counting :))

> If machine is running a service that accepts connections, it might
> be considered a server. All depends on the definition one chooses to
> use. On the other hand, using that definition, each and every Windows
> machine with file&printer sharing enabled is also a server (and my
> guess is that file&printer sharing is commonly used on the university
> type of network).

This is where the issue of distinguishing between a "server" and
"client - server architecture" becomes important.

"Client -  server architecture" describes the relationship between two
processes.  These two processes can even be running on the same machine.
Is a machine where that is happening a "server" or a "client"?
(Ok, its both...?)

> I can kind of see the mentioned IT department as having a point *if* 
> they are the only ones who are administering all those Windows boxes on 
> their network, keep them tightly closed down, with users not able to 
> change any system settings, with BIOS passwords to prevent users from 
> reinstalling machines.  If users have Administrator privileges on those 
> Windows machines, than I can't see any reasoning behind their decision, 
> as long as Rick is not bugging them to troubleshoot his problems.

I agree
> 
> Another thing that puzzles me is, if the network is completely open (as 
> Rick said it is), and they are depending only on Windows XP firewall 
> feature, than what is the difference between Rick's machine and any 
> other host on the Internet?  Sure, somebody can do more effective DoS on 
> local network, but other than that?

Yep.
> 
> BTW, I completely agree with one comment made here.  IT department 
> provides service.  There are no "us" and "them".  In corporate world, we 
> do whatever is needed to support bussiness needs.  IT department in 
> university setting should be the same.  If somebody needs Linux box 
> connected to network to do his work, IT folks shouldn't be in the way 
> "because we are Windows-only shop".  I always considered my job 
> description to be "finding a way to allow people to do their work in 
> most efficient way, while keeping it secure".
> 
> What Rick described is completely opposite attitude that results in 
> restricting people in doing their work, separation to "us" and "them", 
> and inefficient use of resources.

Absolutely.




-- 
"The only system which is truly secure, is one which is switched off
and unplugged, locked in a titanium lined safe, buried in a concrete
bunker, surrounded by nerve gas and very highly paid armed guards. Even
then, I wouldn't stake my life on it" - Gene Spafford 
http://kinz.org
http://www.fedoranews.org
Jeff Kinz, Emergent Research, Hudson, MA.