Educause Security Discussion mailing list archives
Re: How to deal with student server connected to univerity network
From: Information Security <infosecurity () UTPA EDU>
Date: Mon, 22 Aug 2005 13:38:53 -0500
Christian heroux wrote:
Hello ! Your advices and experience would be appreciate! We are not sure what to do with student server connected to university network. Every student association has a server for webserver, listserv, software development tool... We are thinking about offering server hosting for legitimate student server If IT service cannot offer any equivalent. What are the policies in other university about student server (if you prefer server that are not administer by university IT service)? We really don't like that student can setup server and have a public IP address. University can't control what is published over the Internet and complaint received about such server are harder to follow, intervene and complaints keeps coming. We plan using private addressing for the university network for many reason so we are facing a problem with those kind of server. Does many university use private address? Does any university host student server or have a policy? Does any university authorize student to setup their own server? Thanks
The comments below are not our policy, just my personal recommendation: 1) On-campus, let the students run servers as much as they want: it's good experience, especially if they want to experiment with things like CMS systems, wikis, chat boards etc. Note that these servers *must* be forbidden from storing sensitive data of any kind as they will be impossible to keep secure. Encourage the owners to keep their own backups and to have a good mechanism for rebuilding the server from scratch in the event of it being trashed by hackers. (for instance, in a unix system, you'd tar up the entire /etc directory and /src/ww, and back them up to a pen drive; then you'd reinstall from scratch and restore those two directories, to get 99.9% of your system restored. Easy to do, but easier to forget to prepare for!) 2) Block all web services at the campus edge firewall by default 3) Allow external access only to officially supported servers - preferably a small number; best of all, just one. 4) If a student web site is worth making visible to the world, use some web server tricks on your main visible web server to export the student web server by reverse proxy, under a sub-url; for example if I have an internal site "baseball.univ.edu" then it can be mapped to "www.univ.edu/baseball/". The decision as to whether an internal web site may be exposed like this should be made by your external relations office, who may also require the web site to conform to your University's standard look&feel before doing so. (An alternative to the remapping which can be done on servers like apache, but which is tricky to implement, is when your main university site is hosted on a CMS or portal; then you can do the publishing of the internal site via "portlets" as areas within the constrained window space of your portal) One advantage of channeling all content through one server is that you only need to put DMCA contact info on one server - for the last few weeks we've been tracking down all the web servers on campus to ensure that they have a DMCA notice, and we have about 200+ servers so far, not all of which we can identify! Graham
Current thread:
- How to deal with student server connected to univerity network Christian heroux (Aug 22)
- <Possible follow-ups>
- Re: How to deal with student server connected to univerity network Information Security (Aug 22)