As a former network analyst at an .edu site and now working for the state-wide school ISP, I can tell you all the political arguments that arise when you try to control end-user workstations. 1. Departments on Univ campuses are run like individual fiefdoms. They don't like to share anything with a central IT dept so they hire their own computer support and put up their own servers. All we can do is education the masses. This fails miserably. That Linux server that Dept X just put up is run by a grad student who will be gone in 2 years and the dept doesn't know who will run it after that and isn't going to think of that problem until said grad student is gone. And in two years, that machine will be "too important" to get rid of so it will run without an admin until it is hacked and central IT is called to clean up the mess. OR that server admin also does tech/application support for the 50 faculty so patches and stuff take a back seat to getting the Dean's email working again. Trust me, I have seen this happen. 2. Students in Residential housing. While you can make the argument that the Univ is responsible for anything plugged into the network, have you ever tried to convince a student that his private, personal machine in his dorm room is a hazard and should be patched, cleaned of virus, etc? I have heard anything from "Oh, please help me." to "my dad said the machine is fine so go away." If you get the go away message, you can't do anything but educate. If it is a true hazard (DDOS zombie), then yes, the Univ has the right and ability to "shield" the world from that workstation, which will usually bring the student around. 3. Freedom of information. When trying to figure out a firewall/IDS system for the campus, I kept running into that problem. The central administration is screaming "protect us" and the faculty are screaming "you can't shut out communication". Example: you decide that NFS is bad and you are going to block it at the border only to discover that it is being used by the Psychology department to communication with their research teams at far-flung places. So you educate on the department level and they won't change (see #1). Do you block it anyway? Now you have faculty running to the central administration claiming that the central IT department is hindering research, which hurts the very core of the Univ funding. Which side do you think CA is on now? If you said central IT, you need to come back to a campus... 4. Switching to the ISP side now. My current employer runs the state wide backbone for K-12, Colleges, state government offices, etc. In the 4 months that I have been here, I have learned that it isn't much different than a campus. I have learned that I can do nothing on a client site. All I can do is educate and hope that they listen. Or give them advice on cleaning up the mess after they are defaced/attacked/whatever. I have no power over the end user machines. And when you consider that most school districts can't afford a full time computer person, the problem is compounded. You either have the 3rd grade teacher, who was the only one available that day, as the server admin. Or you have outside consultants, you are sometimes just as clueless (side story: I had one consultant who didn't know what traceroute was!). Do we pull the plug on them?? what about all the kiddies sitting in classrooms with no Internet access because their server admin was clueless? How do think that looks in the political world? OK, enough rambling but I don't see that a public ISP will be any different than this state run ISP. The end users are responsible for their actions. As a state entity, we have a slight advantage in that we can do end user education on a regular basis but that doesn't seem to make a difference.... Beth Young MOREnet Security -----Original Message----- From: Ron DuFresne [mailto:dufresne@winternet.com] Sent: Thursday, June 07, 2001 10:29 PM To: Cessna, Michael Cc: 'Firewalls@Lists.GNAC.NET' Subject: RE: This is a must read document. It will freak you out You ignore all the .edu sites with compromised servers and such, all the corporate machines that are compromised, there are tons of .gov sites that are also insecure, and the middle mgt. corporate laptops that float in and out of the corporate boundries weekly.. Thanks, Ron DuFresne On Thu, 7 Jun 2001, Cessna, Michael wrote: > just my $0.02 > I think the burden of preventing DDOS attacks needs to be placed on the ISPs > not on an operating system or OS manufacturer. > Let's face it most of the PC's on the internet are Windows PC's running with > little or no security and many of those that have security are so flimsy as > to be non-existent. How many home pc's have you seen running File and Print > Sharing fro Microsoft Networks! The main group of these users are Home Users > who have little to no knowledge of what it is that their computer does. As > far as they know they turn it on and go to a web address. These are the same > people who think the WWW 'IS' the internet. Trying to control all of these > machines is an almost impossible task. > This is not a knock on Windows (I'll leave that argument alone thank you). > If you gave these users a *NIX box we would be in the same boat, just a > different ocean. > Since we cannot reasonably control what is installed on every OS on the > internet we should aim our concerns on the 'Traffic Aggregators' or ISPs. > We must accept incoming traffic or else we can't do business on the > internet, so we cannot constrain what we accept. Yes I know that we can > block ip's and ports but if you are being hit by a DDOS which spoofs it's > source then you will block a connection from the legitimate source that has > nothing to do with the DDOS thereby DDOSing yourself.....you get the idea. > However constraining what packets can come out of our networks should be > done by the ISP. If you have the 192.168.1.0/24 network then the router at > your ISP should only pass packets of a 192.168.1.0/24 source. > Dialup ISPs normally have a bank of DHCP IP addresses that are used for > their customers why then do they allow packets of a totally different > network originate from inside their network? I don't know the best way to > have the ISP community accomplish this but it is common sense that if you > cannot control ingress than control egress. > In all other forms of commerce the seller is, within reason, responsible for > misuses of the services they provide. Is it not reasonable to ask that an > ISP ensures that the packets originating on it's network are from a source > ip on it's network? > Sorry for the rambling but I just don't see this as a technology issue per > se, I feel that it is a policy issue more than anything. You should know > what originates within your control and ensure that it does not disable or > in any way degrade the services of others. And as much as I hate regulation > if the ISP's aren't doing anything about maybe there needs to be one. > > Just my rambling thoughts, > - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]