[unisog] no-ip.com etc.

Lance Gjerstad lgjersta at kettering.edu
Fri Oct 24 20:44:39 GMT 2003


On Fri, 24 Oct 2003, Ben Curran wrote:

> Date: Fri, 24 Oct 2003 12:32:12 -0700
> From: Ben Curran <bdc1 at humboldt.edu>
> To: unisog at sans.org
> Subject: Re: [unisog] no-ip.com etc.
> 
> We have a policy which restricts students from hosting servers in the residence halls.
> Students with dynamic IP client software can easily circumvent hardware based (acl)
> restrictions/enforcement of this policy. (i.e only allowing "tcp established" connections
> inbound on an interface)

Are your ACLs based on the hostname?  If they are based on an IP
address (which they should be) the DNS name of the box would have no
impact on the firewall rules.

We have our students on a private subnet (171.16.x.x), and off-campus
services are provided by a combination of http proxy, socks proxy, and
NAT.  We only NAT if the destination IP is off-campus, and off-campus
addresses have no route to any host in our dorms other than through an
established connection.  The dorms are also given the same restrictions
to our network as the outside world, so the only way students could
act as servers is if they are providing services internal to the dorm.

> 
> -- ¥«¤»§«¤»¥««¤»§«¤»¥«¤»§«¤»¥
> Network Specialist
> Humboldt State University
> Telecommunications & Network Services
> Phone: 707.826.5000 fax: 707.826.6161
> pgp key-- 2048/1024, 0x619015B2
> ldap://keyserver.pgp.com
> ¥«¤»§«¤»¥««¤»§«¤»¥«¤»§«¤»¥
> 

-- 
Lance Gjerstad
Intermediate Unix System Administrator
Information Technology
Kettering University




More information about the unisog mailing list