From owner-freebsd-questions@FreeBSD.ORG Thu Dec 10 20:11:32 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E6C6106566B; Thu, 10 Dec 2009 20:11:32 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-yw0-f197.google.com (mail-yw0-f197.google.com [209.85.211.197]) by mx1.freebsd.org (Postfix) with ESMTP id D98F88FC0A; Thu, 10 Dec 2009 20:11:31 +0000 (UTC) Received: by ywh35 with SMTP id 35so156680ywh.7 for ; Thu, 10 Dec 2009 12:11:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=hTcR64QAYzqrP4SmqPcaBrsgNOJb1XbfvVreq9iULwQ=; b=C4/mAUvhv5inVXTi4nXgLhMyXpEwJMFsWpDLkDPqg4QbPATJskNujinPeIGW+StTyr a+coETNZXFxI5oXaMVKpru0XLQpiRhd7IgNjyWXy/jUYMlB6wlnUEnQYUBD4fmxajqbJ fOOBBWR8bUlCcrgwdpAvJ3HcElLGgPrtqFWJw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=V+H6lgcxnQSntU++3+zm0vgq8NrZJ7BFixKmZ+7WC7foWXo2Ma0k3lO1TR93rOSRYk vO5fglkmdkC+D5ocPTLChV8nQp+Te4VUPRkB3bDnEe8Jd1Oc1xnto+ziGZocoUNvuFkJ WHqFJSUyBTGecpXgXn/qJdSJnT3Av+km3utFw= MIME-Version: 1.0 Received: by 10.91.105.17 with SMTP id h17mr645490agm.62.1260475891250; Thu, 10 Dec 2009 12:11:31 -0800 (PST) In-Reply-To: <20091210162150.GA1135@mech-cluster241.men.bris.ac.uk> References: <20091210144141.GB834@mech-cluster241.men.bris.ac.uk> <20091210095122.a164bf95.wmoran@potentialtech.com> <20091210162150.GA1135@mech-cluster241.men.bris.ac.uk> Date: Thu, 10 Dec 2009 15:11:31 -0500 Message-ID: <5d6848b00912101211m20c20995x212ac7e5093df42c@mail.gmail.com> From: Kevin Wilcox To: Anton Shterenlikht Content-Type: text/plain; charset=UTF-8 Cc: freebsd-current@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Root exploit for FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 20:11:32 -0000 2009/12/10 Anton Shterenlikht : > I was just stressed after being forced by him > to explain why I wanted firewall exceptions > for two ports to my FreeBSD portscluster nodes. > I explained the reasons and that was settled. Anton, I don't know about the UK, Great Britain or England, but in US Universities, this is fairly common. It just serves as a sanity check for the many, many requests central IT tends to get regarding allowing ingress traffic for faculty/staff machines, and it gives the firewall guys documentation that such-and-such machine should be receiving inbound traffic on specific ports. > The Uni is, of course, > addicted to Microsoft, but having realised all > the problems with that, lately the policy has > been to deny (!) MS users admin access to their > own desktops. The situation is just ridiculous - > if a MS user wants to install a piece of software > on their PC he/she has to ask for permission, > and then wait until some computer officer would > come and do install for them. Again, I don't know about the UK, Great Britain or England, but in the US this is also quite common, at least with regards to University owned hardware. The first responsibility is to protect the network and existing services. Sadly, many groups fail to provide the next step, that being a relatively quick, easy way to have approved software installed for users, and a method for having non-approved software scrutinised and either approved or rejected. > Also recently, well.. about a year ago, no > host (!) could be accessed from outside the > Uni firewall. Special exception has to be > obtained even for ssh. There is only one dedicated > sun server which accepts only ssh. The users > are supposed to dial to this frontend server > first, and from there to hosts on the local net. Again, quite common. Most Universities here do not provide public-facing IP addresses without some sort of application and approval process. For example, we have a handful of machines that are public facing but most of our hardware sits inside site-only networks. To access those machines you either have to be on-campus or you have to connect via VPN (and yes, we support Windows, Mac, Linux, Solaris, *BSD). Having an SSH proxy isn't an entirely bad idea, though I can see where performance may be hindered. > I had to fight a long battle, well.. I had > some support from other academics, to have > a linux class in my Faculty. Here the > opposition wasn't so much security, as > "why would any undegraduate need linux", > as if MS solutions are a pinnacle of human thought. That's a pretty fair question and one that I hope you would have asked yourself before you made the push for the class. > And from I understand it's going to get worse. > Apparently the IT services are drawing up > plans to completely forbid use of "non-autorized" > OS. I imagine fbsd will not be authorized. > So I'm anticipating another battle already. Does this extend to computers used for academic research, student owned computers being used on campus, etc? Perhaps it's because we're conditioned to think this way but a lot of us at universities in the US see a lot of this as being commonplace and to *not* do them is generally considered bad security practice. kmw -- Beware the leader who bangs the drums of war in order to whip the citizenry into a patriotic fervor, for patriotism is indeed a double-edged sword. It both emboldens the blood, just as it narrows the mind. And when the drums of war have reached a fever pitch and the blood boils with hate and the mind has closed, the leader will have no need in seizing the rights of the citizenry. Rather, the citizenry, infused with fear and blinded by patriotism, will offer up all of their rights unto the leader and gladly so - Unattributed, post 9/11