Re: FC3 Security

• Previous message: Claude Jones: "Re: Access Point problem"
• In reply to: Scot L. Harris: "Re: FC3 Security"
• Next in thread: Aleksandar Milivojevic: "Re: FC3 Security"
• Reply: Aleksandar Milivojevic: "Re: FC3 Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 10 Mar 2005 00:57:22 -0500
To: For users of Fedora Core releases <fedora-list@redhat.com>

Scot L. Harris wrote:

>On Tue, 2005-03-08 at 23:58, Rick Bilonick wrote:
>
>
>
>>Here are some additional details. The local IT for the data center has
>>no central firewall. Each computer is on it's own and has to run a
>>firewall. (The data center could use a firewall but it would have to be
>>maintained by the university - and the data center doesn't want to have
>>to deal with the university running a firewall for them.) Also, all the
>>printers are available to anyone who knows their IP address - they don't
>>sit behind any firewall. (This is SOOOO different from my previous
>>position in the corporate world where all the computers and printers
>>were behind a firewall.)
>>
>>
>>
>
>You mean they are assigning routable IP addresses to all equipment and
>sticking them on a flat network? No wonder they are paranoid. They
>have no protection at all, if I understand the situation.
>
>That network must be like the wild west, systems getting owned every
>day. Wonder how much paper gets wasted once some one stumbles onto an
>unprotected printer?
>
>
>
>>The data center would go ballistic if I used a router to set up a local
>>lan with a firewall. (The unversity frowns on connecting routers and
>>hubs to the network. It wants one computer for each port/ip address. I
>>think this is somewhat silly but what can I do?)
>>
>>
>>
>I can understand that. I was recommending that you buy them a firewall
>for them to administer and run on your behalf. But from other things
>you have described they would not know what to do with such a device.
>
>
>
>>So far, all the yelling and screaming is from the data center directed
>>at me. (I don't work for the data center - my appointment is in the
>>department. I just happen to have an office located in what is called
>>the data center.)
>>
>>The home solution has it's merits. But what is wrong with Verizon
>>Wireless Broadband? This is an always-on cellular connection - not
>>wireless ethernet type connection. I'm not sure though whether I would
>>be able to ssh into the computer although my biggest concern is
>>connecting to the Internet from the computer. I do know that the
>>business DSL line, while expensive, would allow me to deliver web pages
>>and use ssh etc.
>>
>>
>>
>
>Any kind of wireless connection is subject to snooping. Cellular is
>more difficult but with the right equipment someone could see every
>packet into and out of your system. And since it is wireless they could
>do it from out in the parking lot. And with cellular they could do from
>several blocks away. ssh and VPN should be used for any kind of
>wireless connection even if it has its own encryption.
>
>Play with kismet a while. Most likely there are any number of APs in
>the area some of which probably have very lack security. You will be
>surprised how many user ids and passwords for email accounts and such
>you will see going by in the clear on such wireless connections.
>
>
>
>>Unfortunately, the data center IT dept. consists only of a couple of
>>individuals who seem intent on preventing me from doing my work. They
>>were very irritated that I bought computer equipment without consulting
>>them and that I contacted the university IT people. (The university IT
>>have no concerns about me connecting my computer. I had no problem
>>getting an IP address from them and they will sell me a port if I want
>>one.) Why they care is beyond me since I'm not funding them through my
>>grant so any "help" they would give would be at their expense.
>>
>>
>>
>
>Like I suggested before make friends with the those in charge of the IT
>department, if possible. Try to demonstrate that the system will be run
>in a secure manor, iptables enabled, only required services exposed,
>etc.
>
>Other than that move they system home and use it there. From the sounds
>of it you would have better protection there using a $40 linksys NAT
>router than putting anything on the university network.
>
>
>
>>Thanks for your thoughts.
>>
>>Rick B.
>>
>>
>
>
>
>
No one is allowed to install routers. (Although I know some people are
doing it.) I have no problem with one port and one computer. I've
explained that the system would be as secure or more secure than their
Windows boxes but of course that only makes them more angry. They don't
like Linux (they tried it once five years ago and they said they got
hacked). The IT dept. CANNOT set up their own firewall. The university
won't allow it. The university could set up a firewall for the data
center but the university would manage the firewall. The data center IT
people don't like the university IT people and don't want to have be
subject to having the university manage the firewall.

Rick B.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

• Previous message: Claude Jones: "Re: Access Point problem"
• In reply to: Scot L. Harris: "Re: FC3 Security"
• Next in thread: Aleksandar Milivojevic: "Re: FC3 Security"
• Reply: Aleksandar Milivojevic: "Re: FC3 Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]