On Wed, 2005-03-09 at 18:42, Les Mikesell wrote: > On Wed, 2005-03-09 at 14:38, Scot L. Harris wrote: > > > > > > > The same basic security principles > > > > should be applied in a University setting as are applied in the business > > > > world. > > > > > > Perhaps for their internal business operations, but for general access > > > not many of the same assumptions apply - certainly not the one that > > > says all the good guys are inside the firewall and all the bad guys > > > are outside. > > > > I never made that assumption. That is precisely the reason to have > > segregated networks internally, most threats in the real world come from > > inside. > > How does segregating networks help in an environment where people > often are not physically near the machines they need to use? A > business might provide VPN service with crypto devices for each > employee and have the IT staff to maintain the needed authorization > and access control. A university probably can't except perhaps > for its internal business operations. > By separating systems onto different LANs you create choke points where you can control who and what protocols are allowed through. In many cases you can segregate systems which require no outside connection making those very secure. Access to systems can be limited by protocol (ssh) or by address, for instance if a researcher needed access from their workstation to a server that resided on a protected LAN the firewall can be configured to only let that researchers workstation get through the firewall using ssh. As you indicate additional levels of security can be layers on such as using certificates for authentication or secure ID type devices. If the research being performed is worth money (and apparently some of it is worth LOTS of money) such measures are worth it to make sure some freshman does not destroy months worth of research costing someone hundreds of thousands of dollars. Of course there are always trade offs of security vs cost vs convenience. If the university (or any business) does not value the data on their network and the money it brings in they will lose at some point when their systems are compromised. It could be costly, embarrassing or both. I personally would not work for a place that remained lax in dealing with security on their networks. They are asking for problems. I suspect that the situation is not that bad, at least I hope not. If it is then I suspect this particular university will be identified and the hackers will have started scanning for unsecured systems sometime later tonight. -- Scot L. Harris webid@xxxxxxxxxx Neil Armstrong tripped.