Home

[teamonkey]

Julian Crowe has just sent me an email regarding IT Services' firewall policy following a meeting of their security working party.

---

ResNet firewall policy

The first thing to understand is that the University is not a company
offering a commercial service to students, but a community whose members
are working towards a set of shared goals. Any policy that ITS might adopt
must be measured against a number of criteria:

* will it work?
* can we afford it?
* do we have time to implement it?
* is it fair to all members of the University community?

All these things have to be considered not in isolation, but in relation to
each other and to the University's essential functions of teaching and
research.

The University communications and IT infrastructure serves several
different parts of the community: the administration, teaching, research
and support staff, open access computer rooms for teaching and generalstudent use, and ResNet. It is fair to say that because IT Services
doesn't operate in an environment where it can charge a commercial rate for
all of its activities it has to prioritise and ResNet cannot be regarded as
the first priority.

This unavoidable fact is reflected in a number of ways: the lack of
seven-day cover (which applies to all our services, not just ResNet), the
response time to individual faults (which is probably slower for ResNet
than for other parts of the service), and the restrictions imposed by the
firewall.

Within the ResNet service, we have to set priorities. Given that it cannot
be a comprehensive, commercial quality service, what should we try to offer
as a basic level of service? Clearly networked computers are now an
essential tool for students and our first priority within ResNet is to
provide the services required for learning, and for taking part in
University life: e-mail and internet access. We also recognise that manystudents use Instant Messaging to keep in touch with friends and family,
and so it is accepted that that should be supported on ResNet. (This needs
some qualification: different instant messaging services use different
ports, and we cannot undertake to cater for every instant messaging service
there is, only for the commonest ones.) We have discovered, as time goes
on, that a number of other networked services are used by students as part
of their educational experience. So e-mail and internet access form the
well-defined core service offered on ResNet, and at the edges there are a
range of other things which we are prepared to support up to a point and so
far as we are able. There are also other services which we are simply not
prepared to support, and these include things like Kazaa and games-playing
of any sort.

Among the considerations when we are asked to open up ports for a
particular purpose is that of even-handedness. If we accede to a
particular request the effort and security implications might be minimal,
but we might be committing ourselves to making similar concessions to manyothers whose claim to be a special case is as good.

The main control that we impose on ResNet is through the
firewall. Permitting a service will usually require us to "open up" a port
or range of ports on the firewall. Every port which we open will to some
extent reduce the level of security. All computer security is a matter of
compromise; to permit any activity, we have to open up some ports. When
asked to open up a given port or range or ports we have to balance the
advantage against the diminished security. Many services require the
opening up of a wide range of ports, and that is equivalent to making a
large breach in the firewall.

The issue of security is not the only point to consider. Network
administration is a complex and time-consuming job. We have to take what
steps we can to simplify the task of maintaining ResNet. The network is
not static; any component might require upgrading or patching at some time
during the year. Every modification to the firewall implies a complication of this maintenance task, so when we say we cannot afford the time to make
modifications we are not referring only to a one-off investment of
time. Every increase in the complexity of the network builds up extra work
for the future. We believe that what staff resources we can spare for
ResNet should go towards improving the reliability of the basic service,
rather than extending the range of facilities that are supported.

We should add that connection to ResNet is not a right. The University
provides facilities for e-mail and access to teaching material in 24-hour
computer classrooms, so a ResNet connection cannot in most cases be
regarded as essential for academic purposes. ITS will disconnect users
from ResNet in cases of serious misuse of the computer network. The fact
that an activity is not prevented by the firewall does not entail that it
is permitted by University rules. Transmission of abusive, offensive or
menacing messages by e-mail or Instant Messaging Services is regarded as a
serious breach of the rules. Peer to peer file sharing is not only
unadvisable from the point of view of your own computer's security, it isalso a highly inefficient use of the network, and is not permitted.
Similarly, activities such as downloading pornography or copyright
protected material, though physically possible through the firewall, are
strictly forbidden. Finally, all ResNet users are reminded that they must
keep their PCs protected against viruses, by installing anti-virus software
and keeping its virus database up-to-date. If it is found that a networked
computer is infected with a virus that could infect others it will be
disconnected until it has been disinfected.

[Greebo]

No surprises in there
Cheers for posting!

[hr]http://greebopichost.netfirms.com - Loadsa drunken photos and suchlikes.

[Prophet Tenebrae]

Ah, so the glib interpretation would be:

1. They are scared of the millions of hackers that want to destroy our network.

2. They don't want to do any extra work.

3. They're just obtuse on the subject.

[rr12]

So can we play internet games?

[teamonkey]

[s]Prophet Tenebrae wrote on 17:43, 21st Mar 2003:
Ah, so the glib interpretation would be:

1. They are scared of the millions of hackers that want to destroy our network.


Don't knock it. You wouldn't think anyone would want to hack wired, but they tried. How many times have the CompSci boxes been rooted by various script kiddies? In the last year my firewall's blocked several automated attempts to find an exploit in my box, and I'm just a home user.

2. They don't want to do any extra work.

I think the point was that they don't have the resources to do any extra work.

3. They're just obtuse on the subject.

I wouldn't say obtuse. There's no surprises here, but there does have to be rules. Note that they are aware of the needs of the students. They're not blocking the instant messanging ports even though it's a security risk, for example, because they know that communication is essential.

[beenabadbunny]

[s]rr12 wrote on 20:23, 21st Mar 2003:
So can we play internet games?


ITS: "There are also other services which we are simply not
prepared to support, and these include things like Kazaa and games-playing
of any sort."

No.

[Wong]

Message I got from a hacker in the middle of last week:

"Can u tell me the IP address of the computer ur on ...Because i wanna try to take ova ur comp"

After running it through Babelfish a couple of times, I did discover that it was in fact in mangled English. I haven't had any hacking problems more competent than this one.

[hr]And I see the lies and I hear the cries
And the marching of the people
As they go to war, Heaven knows what for
God, I think I've had enough now

[teamonkey]

[s]Wong wrote on 11:39, 22nd Mar 2003:
Message I got from a hacker in the middle of last week:

"Can u tell me the IP address of the computer ur on ...Because i wanna try to take ova ur comp"


The correct reply is "127.0.0.1"

[RaphX]

[s]beenabadbunny wrote on 09:55, 22nd Mar 2003:
[s]rr12 wrote on 20:23, 21st Mar 2003:[i]
So can we play internet games?


ITS: "There are also other services which we are simply not
prepared to support, and these include things like Kazaa and games-playing
of any sort."

No.
[/i]
I don't like the use of the word "support" in there. If they say it's not allowed, why don't they just say so, instead of coming up with such smarmy crap?


[hr]
IMAGE:audiotracker.bamboozled.org/remote/song.php/RaphX

Let it be a joke
Let it be a smile
Let it be a farce if it makes me laugh for a little while
Let it be a tear
Let it be a sigh
Coming from a heart, speaking to a heart, let it be a cry

[TheGamesMaster]

I think the point in relation to gaiming is that they will tolerate you doing it on the network but they won't make any effort to make it work and if it doesn't so tough.

So I'm not taking what was said as a no. Cause they know people play games on the network and if they didn't want people toply at all they would have said as they do mention other specific things that are not allowed.

[Valen_gr]

yes, i think it is safe to say that gaming online is not going to be.....

[hr]where's spoon????
-There is no spoon!!

[teamonkey]

Julian does seem interested in what we have to say. Breaking the notion that nobody at ITS works at weekends, he's suggested that if we have any issues (or potential solutions) we present them to him in "digest form".

Post suggestions below.

[MrGreedy]

A clear and unambiguous declaration of any changes in the service from year-to-year would be useful. The firewall was a pretty big surprise to spring this year, so it would have been nice to know about it before I'd coughed up for the year.

[Valen_gr]

plus, i am sure you remember, but a'' the break ups in resnet last year were due to the ugrades they did to the network, ie new routers etc.It worked just fine with no firewall and all ports open.Only this year WITH the firewall have we had these numerous network outages caused by the firewall itself.Somehow i do not think that the security issue is so big.They managed fine all these years no problem.Or at least,very few,and in any case,end result,even if hackers did cause problems,the firewall caused more this year.Either install a good one(perhaps a hardware one) or do away with it.
[hr]where's spoon????
-There is no spoon!!

[teamonkey]

[s]Valen_gr wrote on 09:25, 24th Mar 2003:
It worked just fine with no firewall and all ports open.Only this year WITH the firewall have we had these numerous network outages caused by the firewall itself.

It's always been like that as long as I can remember, even before the current firewall.

Somehow i do not think that the security issue is so big.They managed fine all these years no problem.

Things change. Bandwidth dedicated to P2P file sharing has increased exponentially in recent years. Script kiddies don't need any hacking knowledge to attack a box, just an automated root kit. More and more people are using the net. More people are using ResNet and need to be connected.

Also, the network's been upgraded. The university is sitting on top of a big fat pipe that's a juicy target for crackers and spam merchants.

even if hackers did cause problems,the firewall caused more this year.

Unlikely. A rooted machine can take weeks to get online again, not to mention the service callout charges and the value of lost or stolen data. The firewall only really affects ResNet, and only for a few days.

Either install a good one(perhaps a hardware one)

It is hardware (that is, it's a dedicated firewall box). But I can't help but feel that a box running NetBSD would be safer and more stable, and require minimal Unix administration skills.

or do away with it.

Not an option. Leave a Windows box on the end of a fixed IP for a few months and see what happens.


Oh, and you won't have the option of paying for ResNet next year if they go ahead with the proposals to incorporate the costs into Hall fees.

[James Baster]

Resnet has always been firewalled for incoming connections. Only outgoing port blocking was added this year.

And I agree with teamonkey, you need the incoming connections firewalled for security reasons.

[James Baster]

[s]teamonkey wrote on 12:08, 24th Mar 2003:
[s]Valen_gr wrote on 09:25, 24th Mar 2003:[i]
[i]or do away with it.

Not an option. Leave a Windows box on the end of a fixed IP for a few months and see what happens.[/i]

Or a Linux one to.

James "I'm a computer Scientist who doesnt think Linux is God" Baster.

[teamonkey]

[s]James Baster wrote on 16:04, 25th Mar 2003:
[s]teamonkey wrote on 12:08, 24th Mar 2003:[i]
Not an option. Leave a Windows box on the end of a fixed IP for a few months and see what happens.

Or a Linux one to.
[/i]

True. I'm not saying that Linux is invulnerable, but most hacking tools, viruses and stuff are aimed at Windows insecurities.