On Tue, Oct 23, 2012, Shahar Dag wrote about "RE: where to host web server": > In a large system, you can't let users do whatever they want, you must > protect your network. For example you will not let a user build & run a DNS > server on the corporate network, you will give him a limited private > network.
Treating your network as a "corporate network" is your first mistake ;-) A university is not a corporation, it's an institute of *learning*. And why-the-heck NOT allow a student to run a DNS server?? Why not allow a student (say, graduate student) to host, for example some non-profit organization like "hamakor.org.il" or "imu.org.il" (the Israeli Mathematic Union)? And why not allow a student to develop the next generation DNS server, or invent its next replacement - and allow the student to try it on the real Internet? Surely, not every student should be allowed such control, and not on every host - there can be rules, quotas, designated computers with full Internet access (while the rest are firewalled), and so on. If one student uses a shared computer to run a DNS server and takes 90% of the its CPU, or half the network bandwidth, or does something illegal or for commercial benefit, he can be repremanded. But why do you need a blanket rule that no student can ever have a DNS server, ever, regardless of reason? Just because it's easier for the admins, and easy to enforce? > If a Technion user misbehaves on the internet, it may block all the Technion > from access to some sites. We would like to prevent it. This is wrong. One might say the same thing about Amazon (who hosts anybody) or any other place you send your students to. The reality is that everybody knows that large institutions cannot prevent individuals from misbehaving, and all anybody expects from you is to invest some effort in catching these misbehaviors - not to ensure that they never happen at all. > If a student builds a web server, and the web server is open to the world, > the student can use the server as a back door for anonymous entrance to the > Technion via his server. To prevent this we limit the scope of access. Anonymous access to what - to his own files? Yes, I know about privilige escalation bugs, and everything. I have more than 20 years experience in system administration and computer security ;-) But so what. Again - you're throwing out the baby with the bathwater. It's sad that I, who studied 20 years ago, had much more opportinity to learn about Internet protocols than students who studies today - when it should have been easier, not harder, to be a *server* on the Internet. Again, I'm not saying the security concerns don't exist. I'm just saying that they can be tolerated, to achieve the loftier goal which is to let the students experiment. > 20 years ago the internet considered a safe place, today it isn't so you > must limit access. No, 20 years ago the Internet was NOT a safe place, and every computer I had access to during that period was cracked at least once - including the most major computers in the Technion. But you know what - nothing terrible happened! And if anything, the Internet became safer since, not less safe. Today it's much easier to keep a (almost) hole-free computer, to run iptables, to separate between different users (virtual machines, computers, etc.), and so on. The irony is that because of all these rules, what you end up doing is looking for a host that doesn't have these rules :-) P.S. If it wasn't clear yet, I'll repeat: I am not suggesting that every single computer in the Technion should be globally routable (though this was the case 20 years ago). What I'm suggesting is that every department must have at least one or several such computers - running multi-user Linux or some cloud software with VMs, or something - and allow students to do things on it with some reasonable limitations (non-profit, legality, etc.). It will be easier for the Technion to set such a thing up, and it will not need to use Amazon and the likes. -- Nadav Har'El | Tuesday, Oct 23 2012, 7 Heshvan 5773 n...@math.technion.ac.il |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |The only "intuitive" interface is the http://nadav.harel.org.il |nipple. After that, it's all learned. _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
