Louis, et al:
>Prior to October of last year, I used to be in the group that ran the
>campus network at a large University..
>
>It is just not obvious to me that a firewall is so obviously a requirement
>in a University environment. We didn't have firewalls. And yes, we
>did have security problem from time to time.
The University is traditionally made up of two branches in the computing
realm. The academic computing is certainly a commodity whos use is
encouraged. This is in line with the educational role of the University.
However, as we move to client/server computing on the administrative side
of the house, we are linking computers together over the same
communications lines (fibre, copper, etc on ethernet, token ring, etc)
using the same communications protocol (TCP/IP is becoming defacto
standard). In this environment, we only want authorized users accessing
the administrative applications (we hardly protect academic integrity if
students can alter their grades and grant themselves degrees). In this
case, we do want firewalls between the universe of users and the
applications. In fact, what we want is two nets...an open net and a
protected net running on the same infrastructure. The firewall is the
classical answer to this need.
So the firewall is an essesntial part of the campus network, contrary to
your thoughts.
>> >I'm from a small liberal arts college and I am trying to fight a political
>> >battle with a few faculty to implement a firewall at our site. The
>> >computer science faculty at our college believe that security is only a
>> >hindrance and that a firewall will hamper their "academic freedom".
>
>Well, the "academic freedom" thing does have something to say for it.
>While you may precieve it as being thrown in your face as an
>unassailable argument, it does have it merits, too. When your
>Computer Science Department does research on computer networks, it is
>very likely that a firewall will be a real problem. Firewalls also
>tend to stifle the deployment of new and interesting network
>applications, and Universities is where a lot of this stuff happens.
And when your CS faculty are working on grants and contracts, they may see
the advantage of blocking the outside world (and even the inside world of
student "researchers" or other faculty) away from their work.
Not all work done is public domain freeware :)
>Finally, it seems to me that a firewall is most useful when you can
>draw a line between the "good guys" that are "inside" and the "bad
>guys" that are somewhere "outside".
It makes more sense to frame the question in terms of those with a need to
know and those with no need to know. Just because I can do or see
something, it doesn't mean I should.
> Well, when you have tens of
>thousands of undergrad students, public workstations labs, network
>connections in dorm room, just where do you put the firewall?
At the access point to the computing resource... its like a lock and
key... with the right key (ie IP address) you can get in, and without it
access is more difficult (though not absolute).
> Who are
>you protecting from whom? There are probably some sites that might
>argue that the firewall should be protecting the Internet from the
>University. While its true that the threats are probably different,
>it is hard to imagine not putting some non-trivial effort into
>securing individual systems on the network.
On the contrary, it makes perfectly good sense.
We find staff routinely thinks of things on the desktop computers as
secure, while there is absolutely no security of the data on the computer,
no power on protection (locks, passwords, etc.), and sometimes the offices
are even unlocked. This is a perception problem. With the use of
networks increasing rapidly, the domain of information available is
increasing rapidly, yet the most fundamental "personal" computer data is
public information.
Security, such as access control, is being ignored in the fundamental
computing base.
Well, enough plugging of firewalls, and access security if probabily
another list.
----------------------------------------------------------------------
Internet: mshines @
ia .
purdue .
edu | Michael S. Hines
Bitnet: michaelh @
purccvm | Sr. Information Systems Auditor
Purdue WIZARD Mail: MSHINES | Purdue University
GTE Net Voice: (317) 494-5845 | 1065 Freehafer Hall
GTE Net FAX: (317) 496-1814 | West Lafayette, IN 47907-1065
CompuServe: 73240,1631 |
America On-Line: mysterios |
|
|
