On Wed, 2005-03-09 at 10:27, Alexander Boström wrote: > > In my experience unprotected printers aren't really a problem. They > could be used for SPAM, but I doubt selling v1ª9R4 that way would work, > and the printer would soon be moved to a private network anyway so it > wouldn't last. And as a prank, how fun and "leet" is it to waste a > couple of hundred papers on some printer you don't even know where it > is? > > Anyway, we're a university with 14000 students and a few thousand > employees, and our network is very open. We try to put the printers on > private networks, and some equipment like switches are too, but not any > of the servers or workstations. I've never seen a NAT router anywhere, > although I suppose there could be one somewhere. There are some blocked > ports, but not many. We do use the software firewalls in each computer, > though. Especially on Windows. > > And no, it's not like the wild west. There are a few islands of horror > that are being taken care of, but overall it's fine. It's not about > firewalls, it's about knowing what you're doing. > Sounds like a recipe for disaster. IMHO any network admin that does not segregate their network into LANs used for specific purposes and apply firewalls between those LANs as well as out to the Internet are simply contributing to the overall problem. The same basic security principles should be applied in a University setting as are applied in the business world. A company is just asking for problems putting their financial servers on the same network as a host of workstations or drop in cubes. And have a layered set of security measures is much better than relying on just the firewall on the server. From the sounds of it you don't even have a single choke point that you could monitor traffic on let alone block some of the virus traffic that is generated on a regular basis. I guess it makes sense that things have gotten so bad out there if these same principles are applied in the real world. University networks must be havens for spammers with policies like this. > Yep, we've even got IPv6 up and running in a lot of the networks. > > > I can understand that. I was recommending that you buy them a firewall > > for them to administer and run on your behalf. But from other things > > you have described they would not know what to do with such a device. > > They'd want to buy it themselves then, so they can get what they're used > to. They don't want to deal with a lot of different types of routers, > firewalls and switches. It's too much work. Of course you would buy a firewall of the type they are used to using. But from the description it sounds like they don't know how to spell firewall let alone set one up. -- Scot L. Harris webid@xxxxxxxxxx You'll feel much better once you've given up hope.
