[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [school-discuss] What should school firewalls keep in/out?

To: schoolforge-discuss@schoolforge.net
Subject: Re: [school-discuss] What should school firewalls keep in/out?
From: Cameron Miller <cdmiller@adams.edu>
Date: Thu, 07 Mar 2002 08:58:07 -0700
Delivered-To: archiver@seul.org
Delivered-To: schoolforge-discuss-outgoing@seul.org
Delivered-To: schoolforge-discuss@seul.org
Delivery-Date: Thu, 07 Mar 2002 10:58:10 -0500
References: <1015443094.3c866e96442e1@members.iteachnet.org>
Reply-To: schoolforge-discuss@schoolforge.net
Sender: owner-schoolforge-discuss@schoolforge.net
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011012

Block a minimum of ports.  Scan your network and document what services 
are being used for a starting point. If you are not offering a specified 
network service then blocking the port to it does nothing but add 
latency.  The upside of offering only http is that students and faculty 
may get a very good education in current proxy and tunneling technology.

THE WORTHLESS FILTER:
If you have no LDAP servers and block LDAP at a firewall you have 
accomplished nothing and added extra latency via another filter rule to 
be traversed for every packet entering your network.

NETWORK GAMES:
Network games and P2P filehsharing beg for QOS traffic shaping where you 
can give HTTP/FTP a higher priority and/or a chunk of garunteed bandwith.

WHAT REALLY NEEDS PROTECTION?
At our college, (I know not k-12), we filter access to specific servers. 
  We only allow access to certain servers:services from certain trusted 
networks, further protections exist for these services on the server 
itself.  We also have some internal private networks which do not route 
to the internet for servers with things like academic records, payroll, 
etc..

NETWORK NAZIS:
Arbitrarily blocking ports for "someone elses protection" is a bad move. 
  One needs concrete reasons why nobody should be allowed access to a 
network service before trying to turn it off.  I interpret this practice 
is an affront to the general educational mission of a school, college, 
university, or society.

BRAVE NEW WORLD:
Welcome to the year 2002.  I can picture several scenarios being valid 
at the k-12 level now.  Students need to ssh into a class server to do 
homework, or update their school web homepages.  An Internet game server 
is set up for a club fundraising event. A teacher needs to access files 
from their workstation or a school fileserver that they forgot to bring 
home. A teacher in their office or the school library needs to access a 
web server at a college or university running on a nonstandard port, for 
participation in a distance learning continuing education class.  A 
school club wants Internet chat capabilities. The list will only grow.

WHY HAVE THE INTERNET?
Try to block a minimum of services, based on some real groundwork of 
what filters are really necessary.  After all, network services are the 
reasons for having the network and access to the Internet in the first 
place.

Good luck,

- cameron

David Bucknell wrote:

> As someone who lives behind a school's firewall that blocks all but http, I have
> to wonder just what is necessary. I'd like to ask folks on this list for their
> considered opinions on this. 
> 
> My own view of the situation is that a school needs to keep its network open to
> work traffic and not-so-open to those who just "play." By the latter I mean
> those who actually play network games at times when others are trying to use the
> network to send/receive work/school-related stuff. Schools also have to worry
> about burglars (my name for what "bad" hackers do as a opposed to those who just
> hack), and, for their own protection against angry mobs, pornography.
> 
> I'd prefer, for now, to leave mail and porno out of this. They are unavoidable
> issues and will present themselves for discussion often from now on, I'm sure.
> But I am concerned about how a network administrator should draw the line
> between work and play.
> 
> My own bottom line is, as I've said before, a version of the Hippocratic oath,
> "No gatekeeping." That is, in learning institutions, those with technical
> knowledge and access should not prevent others from getting from what they have.
> A more positive version of this is, "enable learning." That's what I think
> educational technology is really all about. So, it should go without saying
> that  that gatekeeping would not qualify as enabling learning. But, it seems to
> me that that is exactly what network admins end up doing, all in the name of
> "for your protection." 
> 
> What services should be enabled, and which disabled and why?
> 
> David
> 

-- 
- cameron miller
- UNIX Systems Administrator
- Pipeline Fool
- (719)587-7685
- cdmiller@adams.edu

References:
- [school-discuss] What should school firewalls keep in/out?
  - From: David Bucknell <david@members.iteachnet.org>

Prev by Date: Re: [school-discuss] First Programming Language
Next by Date: Re: [school-discuss] What should school firewalls keep in/out?
Prev by thread: Re: [school-discuss] What should school firewalls keep in/out?
Next by thread: [school-discuss] News: Simputer for the masses set for takeoff
Index(es):
- Date
- Thread