Scot L. Harris wrote:
On Tue, 2005-03-08 at 23:10, Rick Bilonick wrote:Here are some additional details. The local IT for the data center has no central firewall. Each computer is on it's own and has to run a firewall. (The data center could use a firewall but it would have to be maintained by the university - and the data center doesn't want to have to deal with the university running a firewall for them.) Also, all the printers are available to anyone who knows their IP address - they don't sit behind any firewall. (This is SOOOO different from my previous position in the corporate world where all the computers and printers were behind a firewall.)
I'm have a half-million dollar grant for research and with some of this money I recently assembled a computer with dual opteron processors, 2gb of memory, 240 gb of hard drive, and 500 gb for a raid disk array. The computer will be doing some heaving duty number crunching (using R and other open source software). I installed FC3 (64-bit) without any problems, applied to the university computer dept. for an IP address (and received an IP) for one of the ports in my office and started working. The next day the "local" IT dept. (such as it is) for the "data center" told me I had to disconnect from the port as my computer was a "risk" to their data center. First they said that because my computer was connected to the same subnet as the data center that this computer, if hacked, would pose a threat to their computers. They consider my computer to be a "server" because I was using ssh to connect remotely to it. When I said I would eliminate ssh, then they said that they don't support Linux systems and won't allow it to be connected. If they don't control the computer (by installing Windows XP), then the computer is a threat to their system because it is on the same subnet. (The university gives out IP addresses and actually owns the network. Various departments and groups rent ports.)
Any system if hacked poses a threat to the data center. ssh is recommended to use when accessing system over say telnet so that reasoning does not make sense.
Is there any truth to what the IT people are saying or are they simply insane (or control freaks or both)?
Sounds like who ever is telling you this is either parroting "official policy" or does not understand how to setup a network.
In the next couple of days I will be speaking with the department head (the data center is a small part of the department and my grant is totally independent of the data center). If I can't get her to see reason and force the data center to act reasonably, I think I have the following options for connecting my FC3 computer to the Internet:
1) get a separate project office outside of the data center (inconvenient to have two offices blocks or farther apart),
2) get a DSL data line installed (about $130/month for 512K - kind of expensive),
3) use Verizon Wireless Broadband (very fast [512K], $80/month - not cheap but I could take the PC 5220 card out and use in the evenings and weekends),
4) take the computer and 20 in lcd monitor home, connect it to the DSL line, and do the work at home.
What would you recommend? If I'm going to complete this project on time, I can't have any more time wasted. So I need to get this resolved.
The quickest solution is to take the system home and work from there.
The IT department should, if they are so concerned about security, setup
a LAN that is firewalled off from the data center where they can connect
users systems. On that LAN they would need to provide some minimal set
of services which could be handled by one server and a firewall. The
server would provide DHCP, NTP, DNS, and other basic network services. The firewall would provide the connection out to the Internet and
separate their data center from "suspect" systems.
I would only consider wireless if you can make sure you use ssh or VPN type connections. WEP is not secure enough IMHO.
In your place I would make friends with upper management in the IT department and get the low down on their internal processes. Possibly offering to buy a firewall that would be used to setup a secured LAN for your use or something along those lines. Just make sure you run iptables and only install services exposed to the network that you really need and use. Possibly explain the security you are using on the system to your new friend in IT would help as well.
As I said, in the short term working from home is going to be the quickest solution. Working through the bureaucracy can take a lot of time until you make friends with the right person. And yelling and screaming will not get you any where. It may actually make them even less willing to work with you.
The data center would go ballistic if I used a router to set up a local lan with a firewall. (The unversity frowns on connecting routers and hubs to the network. It wants one computer for each port/ip address. I think this is somewhat silly but what can I do?)
So far, all the yelling and screaming is from the data center directed at me. (I don't work for the data center - my appointment is in the department. I just happen to have an office located in what is called the data center.)
The home solution has it's merits. But what is wrong with Verizon Wireless Broadband? This is an always-on cellular connection - not wireless ethernet type connection. I'm not sure though whether I would be able to ssh into the computer although my biggest concern is connecting to the Internet from the computer. I do know that the business DSL line, while expensive, would allow me to deliver web pages and use ssh etc.
Unfortunately, the data center IT dept. consists only of a couple of individuals who seem intent on preventing me from doing my work. They were very irritated that I bought computer equipment without consulting them and that I contacted the university IT people. (The university IT have no concerns about me connecting my computer. I had no problem getting an IP address from them and they will sell me a port if I want one.) Why they care is beyond me since I'm not funding them through my grant so any "help" they would give would be at their expense.
Thanks for your thoughts.
Rick B.
