Re: [suse-linux-uk-schools] Open Source pr Propriety
On Tuesday 02 December 2003 12:25, ICT Support Officer wrote:
I can knock them all as far as I can throw them. Just a question for you -> When you and millions of others are connecting to their broadband service from home or office do they not have full access to all the ports. I am in fact running my own mail and web servers from home using my broadband connection. Why should schools be an exception. All the ISp's are doing is providing a pipe between you and the Internet. I think you missed the point here
I don't think so. I'm sure that you have a setup like mine. My ADSL line goes into a smoothwall box which I keep fully patched and monitor the logs. All my machines behind that firewall are fully patched linux machines. I'm confident that, whilst I'm not 100% secure, I'm a much harder target than the majority of machines sat on the internet. A couple of weeks ago I installed a smoothwall machine for a neighbour because his XP machine had been hacked to bits via his NTL cable broadband connection. I even persuaded him to install SuSE instead of XP. Now he's a happy man, but in the first 10 minutes of operation, his smoothwall machine blocked over 100 hostile attempts on his network. Don't get me wrong, I'm sure that you are aware of the issues and can cope with them, but if you opened all the ports to most schools, their networks would essentially be unavailable for use by the pupils and staff almost all the time.
Your statistics (almost %100) is also wrong. Almost everyone here on this this are to some extent are proficient enough to do that.
I'm sure that a good number of people on this list are to some extent proficient enough. However, even if everyone on this list was very good at network security, that would still account for a small fraction of 1% of UK schools (unless there are hundreds of lurkers on the list). And in the schools I've been in, even where the technical staff have much higher than average levels of competence, I don't believe they have time to sit down each morning, digest and act upon all the security bulletins, patch machines etc. They already have an overfull workload without this.
In any case the security issue is for schools to worry about and not the ISP's. If schools don't have the technical experts to run a school network then they should invest in hiring skilled technicians but I know that they do.
It would be great if schools funded technical experts to this level, but they don't and it's not a change that is likely to happen quickly. I don't know of any well paid technical staff in any UK school - now that Chris Puttick has gone back to industry :) - and this is a situation that needs to be addressed. However, at the moment, opening the ports on the LEA firewall would essentially shut down ICT in most uk schools, and whilst that would send a useful message to all involved, I can fully understand why LEAs and ISPs don't want to do it. Cheers -- Phil Driscoll
And I hope you did not misunderstand my point either. All we want is to have a public IP address and have most ports left open for it to be workable. It does not cost more than £150 to buy a very simple hardare firewall and VPN equipment. I got one for £75 from D-link and internally I use NAT both at home and school. This cheap firewall can be installed in all schools and set up once and that is it. Complex software firewalling may cause unease for many schools like you put it so hardware solutions is much better. Unfortunately since we dont have a Public IP address at the school we are unable to run many services like a Web server, Mail server all open source and free. Regards Mustafa Gural ----- Original Message ----- From: "Phil Driscoll" <phil@dialsolutions.co.uk> To: "ICT Support Officer" <ict@canonpalmer.com> Cc: "SuSe" <suse-linux-uk-schools@suse.com> Sent: Tuesday, December 02, 2003 12:46 PM Subject: Re: [suse-linux-uk-schools] Open Source pr Propriety
On Tuesday 02 December 2003 12:25, ICT Support Officer wrote:
I can knock them all as far as I can throw them. Just a question for you -> When you and millions of others are connecting to their broadband service from home or office do they not have full access to all the ports. I am in fact running my own mail and web servers from home using my broadband connection. Why should schools be an exception. All the ISp's are doing is providing a pipe between you and the Internet. I think you missed the point here
I don't think so. I'm sure that you have a setup like mine. My ADSL line goes into a smoothwall box which I keep fully patched and monitor the logs. All my machines behind that firewall are fully patched linux machines. I'm confident that, whilst I'm not 100% secure, I'm a much harder target than the majority of machines sat on the internet.
A couple of weeks ago I installed a smoothwall machine for a neighbour because his XP machine had been hacked to bits via his NTL cable broadband connection. I even persuaded him to install SuSE instead of XP. Now he's a happy man, but in the first 10 minutes of operation, his smoothwall machine blocked over 100 hostile attempts on his network.
Don't get me wrong, I'm sure that you are aware of the issues and can cope with them, but if you opened all the ports to most schools, their networks would essentially be unavailable for use by the pupils and staff almost all the time.
Your statistics (almost %100) is also wrong. Almost everyone here on this this are to some extent are proficient enough to do that.
I'm sure that a good number of people on this list are to some extent proficient enough. However, even if everyone on this list was very good at network security, that would still account for a small fraction of 1% of UK schools (unless there are hundreds of lurkers on the list). And in the schools I've been in, even where the technical staff have much higher than average levels of competence, I don't believe they have time to sit down each morning, digest and act upon all the security bulletins, patch machines etc. They already have an overfull workload without this.
In any case the security issue is for schools to worry about and not the ISP's. If schools don't have the technical experts to run a school network then they should invest in hiring skilled technicians but I know that they do.
It would be great if schools funded technical experts to this level, but they don't and it's not a change that is likely to happen quickly. I don't know of any well paid technical staff in any UK school - now that Chris Puttick has gone back to industry :) - and this is a situation that needs to be addressed. However, at the moment, opening the ports on the LEA firewall would essentially shut down ICT in most uk schools, and whilst that would send a useful message to all involved, I can fully understand why LEAs and
ISPs don't want to do it.
Cheers -- Phil Driscoll
-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com
On Tuesday 02 December 2003 13:03, ICT Support Officer wrote:
All we want is to have a public IP address and have most ports left open for it to be workable. It does not cost more than £150 to buy a very simple hardare firewall and VPN equipment. I got one for £75 from D-link and internally I use NAT both at home and school. This cheap firewall can be installed in all schools and set up once and that is it. Oh no it isn't! What about the inevitable vulnerabilities which are discovered and exploited in the hardware firewall?
Complex software firewalling may cause unease for many schools like you put it so hardware solutions is much better.
It should cause unease! Security is a serious and complex business, schools *should* be worried by it, but they won't address the problem with a 70 quid box they can fit and forget.
Unfortunately since we dont have a Public IP address at the school we are unable to run many services like a Web server, Mail server all open source and free.
These are all difficult to set up securely without a fairly high degree of understanding and a constant eye open for vulnerabilities. Again, you can't just 'fit and forget'. Don't get me wrong - it would be great if schools could have access to the level of competence required to do all this stuff, but it isn't going to happen on a widespread basis without an extraordinary increase in training and salary bugets for technical staff. Cheers -- Phil Driscoll
participants (2)
-
ICT Support Officer -
Phil Driscoll