From: by way of Micronet mailing list administrator (tom@LS.Berkeley.EDU)
Date: Fri Nov 08 2002 - 12:22:30 PST
On Thu, Nov 07, 2002 at 12:42:34PM -0800, Jennifer Gwirtz wrote:
> Hello everyone,
>
> My apologies for any redundancy with past e-mails.
>
> This is a request for advice about firewall protection for a small
> department and its even smaller computer lab.
>
> We are a very small department with a tiny graduate student computer
> lab that has 3 iMacs, 2 PCs, and possibly hundreds of users. Many
> graduate students insist on using services like Hotmail, which has
> recently brought all kinds of bad things into the network.
>
> We are running Norton AV and keep it and system software updated
> regularly. Nevertheless, certain people use the lab carelessly, no
> matter what sort of rules I make. (I'm sure many of you who manage
> labs experience something similar.)
>
> The only option I can see next would be to purchase a firewall for
> the department to keep us notified of activity and to deny access to
> mischief. Does this sound like the right thing to do?
>
> Does anyone have any suggestions as to what we can do? Because we
> don't run our own server, I manage the computers individually. I am
> the only person who does this. Anything that's too labor-intensive
> won't work. Unless it includes human cloning software. (Just joking.)
>
> I'm pretty happy with my home version of Norton's firewall. Can we
> use something like that in our campus offices and lab? Are there any
> limitations on this sort of thing? I've heard rumors of a campus
> firewall effort that's been going on. Does anyone know anything about
> this?
As Eric Chamberlain noted, firewall software really doesn't deal with this
problem. At best it could track the sites people are going to, and maybe
keep trojans running on your lab machines from doing what they're designed
to do (participate in DDOS attacks, or trade copyrighted
software/movies/music). Firewalls are not very good at stopping your users
from doing bad things; they're OK at keeping people outside from doing bad
things to your machines. It might be worth installing personal firewalls on
your machines; they shouldn't be too hard to manage with only 5 machines.
But they won't solve your problem.
Public labs need two things; access control, and configuration control. The
simplest need for access control is that you don't want unauthorized people
to use your machines. In some situations, this portion of the need can be
adequately addressed by non-technical means (like locking the room). In
others, you will want to set up a password/login system; you probably have
at least a rudimentary one on your PC's, but probably not on your Macs.
One simple step you could take is to require logins on all your machines;
this can be handled through the Multiple Users system on MacOS 9, and
through the standard Windows password requirement on business versions
of Windows.
But, that doesn't solve your problem either, unless the problem is being
caused by unauthorized users. The more common issue is unauthorized
activity by authorized users. This is where configuration control comes
into play. A default MacOS 9 installation places very few restrictions on
what a user can do. (Windows is not much better). Because users have
the ability to change configurations, install software, and basically
get into trouble, they do.
Both MacOS 9 with Multiple Users enabled, and Windows NT/2000/XP, have ways
to restrict users to only be able to write files to specified directories.
(They work with varying degrees of success). If you want to protect the
machines, you'll have to enable user logins, set restrictions on the users,
and manage the resulting configuration. Probably that would require running
some sort of file server for user home directories, locking down the
clients, and maintaining a database of users and passwords. It will
still be possible for users to get in trouble--if they have physical
access to the machine you can't ever really stop them--but you could
control them a lot more closely.
Another way to manage configuration control is to wipe the disks
periodically and restore them to a known good state. There are various
products on either platform which could do this for you (RevRdist on the
Mac and Ghost on Windows are two examples), but again, they probably are
going to be hard to manage without a server.
LSCR could help you with a lab like this on a contract basis, though I know
it's hard coming up with any kind of money these days.
-- Tom Holub (tom_holub@LS.Berkeley.EDU, 510-642-9069) College of Letters & Science 249 Campbell Hall------------------------------------------------------------------------ The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2b29 : Fri Nov 08 2002 - 12:27:21 PST