I'm wondering if there are any firewall(or network) admins for Universities or Colleges out there.
I find the approach to network security borders on schitzoid. Depending upon the momentary mood it is OPEN EVERYTHING, shutdown everything, do whatever, change nothing. I'm wondering if this is a lax academic thing or isolated to this mgmt team. It seems to be the historical norm from people talking here.
I'm curious how others structure things to sort out dormitory/ISP service, public common areas, classrooms, faculty and administration levels of access.
Too much is done via ACL on routers here from my perspective. Also this staff is seriously undermanned.
The most common problem is academic freedom -- users claim they must be allowed *everything* in the name of academic freedom, blocking anything (peer to peer, adware, port, viruses) infringes on this freedom.
Firewall teams often can't get blocking of much of anything approved.
Many places follow the "survival of the fittest" paradigm. Users are on their own, some departments deploy their own security measures at their own bounaries, and around their own servers.
Well the Colleges named in the RIAA lawsuits miraculously found legal justification for growing a spine. :-)
However, having that approach is fine, that means you are an ISP. Which means you structure your services as an ISP not a business. Especially since they do residences and open public areas. Setting up these things the same way you do a private business is insane in my mind.
I advocate firewalling internally from such "wild" segments. If I'm responsible for a business' security and segments are out of IT's control I've pushed to treat them as third party vendors. Management laughs it off at first until they are attacked by the sloppy to disastrous implementations of those wild groups. Then the realize my suggestion would have limited the damage.
I'm currently jockeying to use a firewall to implement the residences as a DMZ separate from administration with a dedicated firewall to the Internet. Campus wide attacks from residence PCs are daily events.
I would take the view that administration is a business, in particular one that manages personal information, while residences require ISP services. On that basis each would have a dedicated Internet connection, and there would be _no_ internal interconnections.
In practice that probably won't fly - but it's your ideal architecture, so you assess risk and apply controls every time you are forced to deviate.
Well lawsuits and visits from the police to IT will slowly change that. They have both happened since computer-based crimes are being committed on campus, some using college systems and access.
the funny part is it is much easier to act as an ISP then to attempt control over them and protect yourself from 10,000 somewhat-privileged desktops inside your network. Hell, we protect ourselves from the 4 billion internet addresses everyday. 99.99% of all scans and attacks that hit our desktops and servers are INSIDE the firewall. The internet doesn't pose anywhere near the danger the internal community does.
Tracking down these units and policing them is time consuming and the network staff here is pathetically size. Honestly, mgmt must be on crack to think they could run this network with so few bodies.
Well that has happened repeatedly and the response was bring in the consultants. three years and several million later things have degraded again and I'm trying to rebuild basic standards back into the system.
I am curious as to what staffing levels other univ have. I mean do academics always short staff this ridiculously. I've spoken up repeatedly but it falls on deaf ears.
If anyone would like to compare notes, i'd be interested in the staffing levels for networking group (outside of running cables, that's generally telecom's).
3 full time positions + manager =======================================
6 locations,11 T1 WAN circuits
20 routing nodes
225 switches with ~13,000 ports (9000 admin, 4000 residences) full wifi deployment (700 APs, 13,000 MACs registered)
3 sets of firewall
2 VPN appliances
45Mb Internet increasing to 100Mb (because 45 is maxed out) plus several monitoring solutions (for all of the above) plus some associated service servers (ACS, RADIUS, SYSLOG, but not DNS)
Absolutely NO ONE else on campus touches or has admin access to any of this equipment. Other groups can cable into switchports, but VLAN changes have to be done by one of us.
I've worked at two other organizations with 1/5th to 1/10 the size of this organization and they had 3 people + a manager. It is no wonder to me things deteriorate so badly.