File services in an university network
![](https://seccdn.libravatar.org/avatar/fd999d596731c7039bab1f33e2042ba0.jpg?s=120&d=mm&r=g)
Hi List! I would like to hear your opinion on our fileserver installation, as I see a big difference between the de facto installations and the ones described in security how-tos and lists. As far as I can see, most university networks constist on computers with valid ip's directly connected to the net. These are Suns, PCs and Macs, with their own fileservices. I understand that this is dangerous. On the other hand, howtos and lists talk about DMZs, firewalls and very few protocols on the internet. So, following the advises, every network seams to need a "secure" side for the clients, and a DMZ for every server visible to the outside, and a lot of filters... I have to install a fileserver in an university network. We have our own local net, with a lot of clients, and the existing server behind our firewall (most of the network machines have suse linux here, some are solaris-based). But as the university has a lot of networks, I have to allow access to the server from the outside now. And there are all those platforms and protocols which need access... Appleshare/IP, SMB, FTP (what do you think about these protocols and security?). So the fileserver, which usually should be kept secure, is jumping into what should be the DMZ... I am considering to open the ports for smb and appleshare on the firewall with destination server now. I only allow encrypted passwords on appleshare and smb. I close everything else. In fact, I know that a server in the DMZ would be better, but than I would have to install one more machine, mount the directories to export via nfs :-( etc...and keep an eye on a lot of firewalls. So in my opinion, it's the best solution to have a SIMPLE configuration (with less misconfigurated services). And as I told you, if I compare with other networks, we still take a lot of care on our security. Anyway, I would like to hear your opinion, as this seams to be a quite common problem - universities don't have the possibility to maintain too complex installations, and on the other hand, everybody is working over the net here. Thank You, CU, Lars.
![](https://seccdn.libravatar.org/avatar/495f7b186ba99d12fc1a37bba32c7ed3.jpg?s=120&d=mm&r=g)
On Sun, 21 Oct 2001, Lars O. Grobe wrote:
Hi List!
I would like to hear your opinion on our fileserver installation, as I see a big difference between the de facto installations and the ones described in security how-tos and lists.
As far as I can see, most university networks constist on computers with valid ip's directly connected to the net. These are Suns, PCs and Macs, with their own fileservices. I understand that this is dangerous.
Probably....
On the other hand, howtos and lists talk about DMZs, firewalls and very few protocols on the internet. So, following the advises, every network seams to need a "secure" side for the clients, and a DMZ for every server visible to the outside, and a lot of filters...
I think Universities really do present a special case. In a business, it's possible to centralize each of these functions at least somewhat. But a university deals directly in the currency of ideas and information, and every professor and every class is going to want their own web content, files, mailing lists, etc, to be available to the students. They'll want their research papers to be available to colleagues across the country, they'll want their grad students to be able to instantly-update stuff on their own servers in realtime based on the outcome of experiments within minutes of the experiment's conclusion. With those needs, you can't really centralize the functions and I don't think you could put up an all-university firewall -- if you did, it would be a twenty-four-hours-a-day job to try to keep the configuration changed according to how everybody wanted to use it today. Also, your biggest security threat in a university is internal, not external -- ie, the student body and the small fraction of them prone to malicious mischief. You don't materially increase security by keeping *external* attackers out when at least 3/4 of your potential attacks are going to come from *internal* users. Offhand, I think in a university setting, professors who are willing to do their own administration should probably get their own block of internal or external IP addresses to play with, and it probably doesn't really matter all that much which. The best you can do is to try to make university-wide standards about secure administration, identify crucial machines, and become a real pain-in-the-butt if you don't get regular backups from those machines so you can restore them when (not if) they get hacked. But, if they're coming to *you* to do their configuration and administration for them, you have the responsibility to say, from time to time, "I won't do that for security reasons," When it's true. Bear
participants (2)
-
Lars O. Grobe
-
Ray Dillinger