Scot L. Harris wrote:
On Wed, 2005-03-09 at 10:27, Alexander Boström wrote:
In my experience unprotected printers aren't really a problem. They could be used for SPAM, but I doubt selling v1ª9R4 that way would work, and the printer would soon be moved to a private network anyway so it wouldn't last. And as a prank, how fun and "leet" is it to waste a couple of hundred papers on some printer you don't even know where it is?
Anyway, we're a university with 14000 students and a few thousand employees, and our network is very open. We try to put the printers on private networks, and some equipment like switches are too, but not any of the servers or workstations. I've never seen a NAT router anywhere, although I suppose there could be one somewhere. There are some blocked ports, but not many. We do use the software firewalls in each computer, though. Especially on Windows.
And no, it's not like the wild west. There are a few islands of horror that are being taken care of, but overall it's fine. It's not about firewalls, it's about knowing what you're doing.
Sounds like a recipe for disaster. IMHO any network admin that does not
segregate their network into LANs used for specific purposes and apply
firewalls between those LANs as well as out to the Internet are simply
contributing to the overall problem. The same basic security principles
should be applied in a University setting as are applied in the business
world. A company is just asking for problems putting their financial
servers on the same network as a host of workstations or drop in cubes. And have a layered set of security measures is much better than relying
on just the firewall on the server. From the sounds of it you don't
even have a single choke point that you could monitor traffic on let
alone block some of the virus traffic that is generated on a regular
basis.
I guess it makes sense that things have gotten so bad out there if these same principles are applied in the real world.
University networks must be havens for spammers with policies like this.
Yep, we've even got IPv6 up and running in a lot of the networks.
I can understand that. I was recommending that you buy them a firewallThey'd want to buy it themselves then, so they can get what they're used
for them to administer and run on your behalf. But from other things
you have described they would not know what to do with such a device.
to. They don't want to deal with a lot of different types of routers,
firewalls and switches. It's too much work.
Of course you would buy a firewall of the type they are used to using. But from the description it sounds like they don't know how to spell
firewall let alone set one up.
Only the university IT can set up and manage a firewall. Even though having a firewall is the sane thing to do, the data center won't do this because that would ceed some more control to the university IT people.
Each printer is completely accessible to anyone in the world. The only reason the printers aren't jammed with print requests is that no one seems to know they are available. You would need to know the IP address. I print to these printers from home without any problem. (Of course, sometimes I print to them by accident to if I forget to check what the default printer is.) The printers are password protected and you can access them by ftp or telnet. I would not let my home printers open like this.
Rick B.
