| Author |
Message |
DigitalVinyl
Guest
|
 Posted:
Thu Nov 17, 2005 5:26 am Post subject:
ANy University/COllege admins out there? |
|
|
I'm wondering if there are any firewall(or network) admins for
Universities or Colleges out there.
I find the approach to network security borders on schitzoid.
Depending upon the momentary mood it is OPEN EVERYTHING, shutdown
everything, do whatever, change nothing. I'm wondering if this is a
lax academic thing or isolated to this mgmt team. It seems to be the
historical norm from people talking here.
I'm curious how others structure things to sort out dormitory/ISP
service, public common areas, classrooms, faculty and administration
levels of access.
Too much is done via ACL on routers here from my perspective.
Also this staff is seriously undermanned. |
|
| Back to top |
|
 |
Somebody.
Guest
|
| Posted:
Fri Nov 18, 2005 4:06 am Post subject:
Re: ANy University/COllege admins out there? |
|
|
"DigitalVinyl" <DigitalVinyl@internet.com> wrote in message
news:r1fnn19d410j14trc3ma32e62875omir3o@4ax.com...
| Quote: | I'm wondering if there are any firewall(or network) admins for
Universities or Colleges out there.
I find the approach to network security borders on schitzoid.
Depending upon the momentary mood it is OPEN EVERYTHING, shutdown
everything, do whatever, change nothing. I'm wondering if this is a
lax academic thing or isolated to this mgmt team. It seems to be the
historical norm from people talking here.
I'm curious how others structure things to sort out dormitory/ISP
service, public common areas, classrooms, faculty and administration
levels of access.
Too much is done via ACL on routers here from my perspective.
Also this staff is seriously undermanned.
|
The most common problem is academic freedom -- users claim they must be
allowed *everything* in the name of academic freedom, blocking anything
(peer to peer, adware, port, viruses) infringes on this freedom.
Firewall teams often can't get blocking of much of anything approved.
Many places follow the "survival of the fittest" paradigm. Users are on
their own, some departments deploy their own security measures at their own
bounaries, and around their own servers.
-Russ. |
|
| Back to top |
|
|
Triffid
Guest
|
| Posted:
Fri Nov 18, 2005 9:22 am Post subject:
Re: ANy University/COllege admins out there? |
|
|
DigitalVinyl wrote:
| Quote: | "Somebody." <somebody.@spamout.russdoucet.com> wrote:
"DigitalVinyl" <DigitalVinyl@internet.com> wrote in message
news:r1fnn19d410j14trc3ma32e62875omir3o@4ax.com...
I'm wondering if there are any firewall(or network) admins for
Universities or Colleges out there.
I find the approach to network security borders on schitzoid.
Depending upon the momentary mood it is OPEN EVERYTHING, shutdown
everything, do whatever, change nothing. I'm wondering if this is a
lax academic thing or isolated to this mgmt team. It seems to be the
historical norm from people talking here.
I'm curious how others structure things to sort out dormitory/ISP
service, public common areas, classrooms, faculty and administration
levels of access.
Too much is done via ACL on routers here from my perspective.
Also this staff is seriously undermanned.
The most common problem is academic freedom -- users claim they must be
allowed *everything* in the name of academic freedom, blocking anything
(peer to peer, adware, port, viruses) infringes on this freedom.
Well the Colleges named in the RIAA lawsuits miraculously found legal
justification for growing a spine. :-)
However, having that approach is fine, that means you are an ISP.
Which means you structure your services as an ISP not a business.
Especially since they do residences and open public areas. Setting up
these things the same way you do a private business is insane in my
mind.
Firewall teams often can't get blocking of much of anything approved.
Many places follow the "survival of the fittest" paradigm. Users are on
their own, some departments deploy their own security measures at their own
bounaries, and around their own servers.
I advocate firewalling internally from such "wild" segments. If I'm
responsible for a business' security and segments are out of IT's
control I've pushed to treat them as third party vendors. Management
laughs it off at first until they are attacked by the sloppy to
disastrous implementations of those wild groups. Then the realize my
suggestion would have limited the damage.
I'm currently jockeying to use a firewall to implement the residences
as a DMZ separate from administration with a dedicated firewall to the
Internet. Campus wide attacks from residence PCs are daily events.
|
I would take the view that administration is a business, in particular
one that manages personal information, while residences require ISP
services. On that basis each would have a dedicated Internet connection,
and there would be _no_ internal interconnections.
In practice that probably won't fly - but it's your ideal architecture,
so you assess risk and apply controls every time you are forced to deviate.
Triffid |
|
| Back to top |
|
|
DigitalVinyl
Guest
|
| Posted:
Fri Nov 18, 2005 9:22 am Post subject:
Re: ANy University/COllege admins out there? |
|
|
"Somebody." <somebody.@spamout.russdoucet.com> wrote:
| Quote: |
"DigitalVinyl" <DigitalVinyl@internet.com> wrote in message
news:r1fnn19d410j14trc3ma32e62875omir3o@4ax.com...
I'm wondering if there are any firewall(or network) admins for
Universities or Colleges out there.
I find the approach to network security borders on schitzoid.
Depending upon the momentary mood it is OPEN EVERYTHING, shutdown
everything, do whatever, change nothing. I'm wondering if this is a
lax academic thing or isolated to this mgmt team. It seems to be the
historical norm from people talking here.
I'm curious how others structure things to sort out dormitory/ISP
service, public common areas, classrooms, faculty and administration
levels of access.
Too much is done via ACL on routers here from my perspective.
Also this staff is seriously undermanned.
The most common problem is academic freedom -- users claim they must be
allowed *everything* in the name of academic freedom, blocking anything
(peer to peer, adware, port, viruses) infringes on this freedom.
|
Well the Colleges named in the RIAA lawsuits miraculously found legal
justification for growing a spine. :-)
However, having that approach is fine, that means you are an ISP.
Which means you structure your services as an ISP not a business.
Especially since they do residences and open public areas. Setting up
these things the same way you do a private business is insane in my
mind.
| Quote: | Firewall teams often can't get blocking of much of anything approved.
Many places follow the "survival of the fittest" paradigm. Users are on
their own, some departments deploy their own security measures at their own
bounaries, and around their own servers.
|
I advocate firewalling internally from such "wild" segments. If I'm
responsible for a business' security and segments are out of IT's
control I've pushed to treat them as third party vendors. Management
laughs it off at first until they are attacked by the sloppy to
disastrous implementations of those wild groups. Then the realize my
suggestion would have limited the damage.
I'm currently jockeying to use a firewall to implement the residences
as a DMZ separate from administration with a dedicated firewall to the
Internet. Campus wide attacks from residence PCs are daily events.
>-Russ. |
|
| Back to top |
|
|
DigitalVinyl
Guest
|
| Posted:
Sun Nov 20, 2005 1:34 am Post subject:
Re: ANy University/COllege admins out there? |
|
|
Triffid <triffid@nebula.net> wrote:
| Quote: | I would take the view that administration is a business, in particular
one that manages personal information, while residences require ISP
services. On that basis each would have a dedicated Internet connection,
and there would be _no_ internal interconnections.
In practice that probably won't fly - but it's your ideal architecture,
so you assess risk and apply controls every time you are forced to deviate.
Triffid
|
Well lawsuits and visits from the police to IT will slowly change
that. They have both happened since computer-based crimes are being
committed on campus, some using college systems and access.
the funny part is it is much easier to act as an ISP then to attempt
control over them and protect yourself from 10,000 somewhat-privileged
desktops inside your network. Hell, we protect ourselves from the 4
billion internet addresses everyday. 99.99% of all scans and attacks
that hit our desktops and servers are INSIDE the firewall. The
internet doesn't pose anywhere near the danger the internal community
does.
Tracking down these units and policing them is time consuming and the
network staff here is pathetically size. Honestly, mgmt must be on
crack to think they could run this network with so few bodies. |
|
| Back to top |
|
|
Robert
Guest
|
| Posted:
Sun Nov 20, 2005 1:53 am Post subject:
Re: ANy University/COllege admins out there? |
|
|
On Sat, 19 Nov 2005 19:34:27 +0000, DigitalVinyl wrote:
| Quote: | Tracking down these units and policing them is time consuming and the
network staff here is pathetically size. Honestly, mgmt must be on
crack to think they could run this network with so few bodies.
|
It can only get worse before it gets better. Things have to come to a
grinding halt before they will see that things in their fantasy world do
not function in the real world and fire more staff.
--
Regards
Robert
Smile... it increases your face value!
----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =---- |
|
| Back to top |
|
|
DigitalVinyl
Guest
|
| Posted:
Mon Nov 21, 2005 3:07 am Post subject:
Re: ANy University/COllege admins out there? |
|
|
Robert <noone@noplace.nowhere> wrote:
| Quote: | On Sat, 19 Nov 2005 19:34:27 +0000, DigitalVinyl wrote:
Tracking down these units and policing them is time consuming and the
network staff here is pathetically size. Honestly, mgmt must be on
crack to think they could run this network with so few bodies.
It can only get worse before it gets better. Things have to come to a
grinding halt before they will see that things in their fantasy world do
not function in the real world and fire more staff.
|
Well that has happened repeatedly and the response was bring in the
consultants. three years and several million later things have
degraded again and I'm trying to rebuild basic standards back into the
system.
I am curious as to what staffing levels other univ have. I mean do
academics always short staff this ridiculously. I've spoken up
repeatedly but it falls on deaf ears.
If anyone would like to compare notes, i'd be interested in the
staffing levels for networking group (outside of running cables,
that's generally telecom's).
3 full time positions + manager
=======================================
6 locations,11 T1 WAN circuits
20 routing nodes
225 switches with ~13,000 ports
(9000 admin, 4000 residences)
full wifi deployment (700 APs, 13,000 MACs registered)
3 sets of firewall
2 packeteers
2 VPN appliances
45Mb Internet increasing to 100Mb (because 45 is maxed out)
plus several monitoring solutions (for all of the above) plus some
associated service servers (ACS, RADIUS, SYSLOG, but not DNS)
Absolutely NO ONE else on campus touches or has admin access to any of
this equipment. Other groups can cable into switchports, but VLAN
changes have to be done by one of us.
I've worked at two other organizations with 1/5th to 1/10 the size of
this organization and they had 3 people + a manager. It is no wonder
to me things deteriorate so badly. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in