As a former network analyst at an .edu site and now working for the
state-wide school ISP, I can tell you all the political arguments that arise
when you try to control end-user workstations.
1. Departments on Univ campuses are run like individual fiefdoms. They
don't like to share anything with a central IT dept so they hire their own
computer support and put up their own servers. All we can do is education
the masses. This fails miserably. That Linux server that Dept X just put
up is run by a grad student who will be gone in 2 years and the dept doesn't
know who will run it after that and isn't going to think of that problem
until said grad student is gone. And in two years, that machine will be
"too important" to get rid of so it will run without an admin until it is
hacked and central IT is called to clean up the mess. OR that server admin
also does tech/application support for the 50 faculty so patches and stuff
take a back seat to getting the Dean's email working again. Trust me, I
have seen this happen.
2. Students in Residential housing. While you can make the argument that
the Univ is responsible for anything plugged into the network, have you ever
tried to convince a student that his private, personal machine in his dorm
room is a hazard and should be patched, cleaned of virus, etc? I have heard
anything from "Oh, please help me." to "my dad said the machine is fine so
go away." If you get the go away message, you can't do anything but
educate. If it is a true hazard (DDOS zombie), then yes, the Univ has the
right and ability to "shield" the world from that workstation, which will
usually bring the student around.
3. Freedom of information. When trying to figure out a firewall/IDS system
for the campus, I kept running into that problem. The central
administration is screaming "protect us" and the faculty are screaming "you
can't shut out communication". Example: you decide that NFS is bad and you
are going to block it at the border only to discover that it is being used
by the Psychology department to communication with their research teams at
far-flung places. So you educate on the department level and they won't
change (see #1). Do you block it anyway? Now you have faculty running to
the central administration claiming that the central IT department is
hindering research, which hurts the very core of the Univ funding. Which
side do you think CA is on now? If you said central IT, you need to come
back to a campus...
4. Switching to the ISP side now. My current employer runs the state wide
backbone for K-12, Colleges, state government offices, etc. In the 4 months
that I have been here, I have learned that it isn't much different than a
campus. I have learned that I can do nothing on a client site. All I can
do is educate and hope that they listen. Or give them advice on cleaning up
the mess after they are defaced/attacked/whatever. I have no power over the
end user machines. And when you consider that most school districts can't
afford a full time computer person, the problem is compounded. You either
have the 3rd grade teacher, who was the only one available that day, as the
server admin. Or you have outside consultants, you are sometimes just as
clueless (side story: I had one consultant who didn't know what traceroute
was!). Do we pull the plug on them?? what about all the kiddies sitting in
classrooms with no Internet access because their server admin was clueless?
How do think that looks in the political world?
OK, enough rambling but I don't see that a public ISP will be any different
than this state run ISP. The end users are responsible for their actions.
As a state entity, we have a slight advantage in that we can do end user
education on a regular basis but that doesn't seem to make a difference....
Beth Young
MOREnet Security
-----Original Message-----
From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 07, 2001 10:29 PM
To: Cessna, Michael
Cc: '[EMAIL PROTECTED]'
Subject: RE: This is a must read document. It will freak you out
You ignore all the .edu sites with compromised servers and such, all the
corporate machines that are compromised, there are tons of .gov sites that
are also insecure, and the middle mgt. corporate laptops that float in and
out of the corporate boundries weekly..
Thanks,
Ron DuFresne
On Thu, 7 Jun 2001, Cessna, Michael wrote:
> just my $0.02
> I think the burden of preventing DDOS attacks needs to be placed on the
ISPs
> not on an operating system or OS manufacturer.
> Let's face it most of the PC's on the internet are Windows PC's running
with
> little or no security and many of those that have security are so flimsy
as
> to be non-existent. How many home pc's have you seen running File and
Print
> Sharing fro Microsoft Networks! The main group of these users are Home
Users
> who have little to no knowledge of what it is that their computer does. As
> far as they know they turn it on and go to a web address. These are the
same
> people who think the WWW 'IS' the internet. Trying to control all of these
> machines is an almost impossible task.
> This is not a knock on Windows (I'll leave that argument alone thank you).
> If you gave these users a *NIX box we would be in the same boat, just a
> different ocean.
> Since we cannot reasonably control what is installed on every OS on the
> internet we should aim our concerns on the 'Traffic Aggregators' or ISPs.
> We must accept incoming traffic or else we can't do business on the
> internet, so we cannot constrain what we accept. Yes I know that we can
> block ip's and ports but if you are being hit by a DDOS which spoofs it's
> source then you will block a connection from the legitimate source that
has
> nothing to do with the DDOS thereby DDOSing yourself.....you get the idea.
> However constraining what packets can come out of our networks should be
> done by the ISP. If you have the 192.168.1.0/24 network then the router at
> your ISP should only pass packets of a 192.168.1.0/24 source.
> Dialup ISPs normally have a bank of DHCP IP addresses that are used for
> their customers why then do they allow packets of a totally different
> network originate from inside their network? I don't know the best way to
> have the ISP community accomplish this but it is common sense that if you
> cannot control ingress than control egress.
> In all other forms of commerce the seller is, within reason, responsible
for
> misuses of the services they provide. Is it not reasonable to ask that an
> ISP ensures that the packets originating on it's network are from a source
> ip on it's network?
> Sorry for the rambling but I just don't see this as a technology issue per
> se, I feel that it is a policy issue more than anything. You should know
> what originates within your control and ensure that it does not disable or
> in any way degrade the services of others. And as much as I hate
regulation
> if the ISP's aren't doing anything about maybe there needs to be one.
>
> Just my rambling thoughts,
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
