Re: How to deal with student server connected to univerity network

[Information Security <infosecurity () UTPA EDU>]

Christian heroux wrote:

> Hello !
>
>
>
>             Your advices and experience would be appreciate!
>
>
>
>             We are not sure what to do with student server connected
> to university network. Every student association has a server for
> webserver, listserv, software development tool...
>
> We are thinking about offering server hosting for legitimate student
> server If IT service cannot offer any equivalent. What are the
> policies in other university about student server (if you prefer
> server that are not administer by university IT service)?
>
>
>
>             We really don't like that student can setup server and
> have a public IP address. University can't control what is published
> over the Internet and complaint received about such server are harder
> to follow, intervene and complaints keeps coming. We plan using
> private addressing for the university network for many reason so we
> are facing a problem with those kind of server.
>
>
>
> Does many university use private address?
>
> Does any university host student server or have a policy?
>
> Does any university authorize student to setup their own server?
>
>
>
> Thanks

The comments below are not our policy, just my personal recommendation:

1) On-campus, let the students run servers as much as they want: it's
good experience,
especially if they want to experiment with things like CMS systems,
wikis, chat boards etc.
Note that these servers *must* be forbidden from storing sensitive data
of any kind as
they will be impossible to keep secure.  Encourage the owners to keep
their own backups
and to have a good mechanism for rebuilding the server from scratch in
the event of
it being trashed by hackers. (for instance, in a unix system, you'd tar
up the entire
/etc directory and /src/ww, and back them up to a pen drive; then you'd
reinstall
from scratch and restore those two directories, to get 99.9% of your system
restored.  Easy to do, but easier to forget to prepare for!)

2) Block all web services at the campus edge firewall by default

3) Allow external access only to officially supported servers -
preferably a small
number; best of all, just one.

4) If a student web site is worth making visible to the world, use some
web server
tricks on your main visible web server to export the student web server by
reverse proxy, under a sub-url; for example if I have an internal site
"baseball.univ.edu"
then it can be mapped to "www.univ.edu/baseball/".  The decision as to
whether an
internal web site may be exposed like this should be made by your external
relations office, who may also require the web site to conform to your
University's
standard look&feel before doing so.  (An alternative to the remapping which
can be done on servers like apache, but which is tricky to implement, is
when
your main university site is hosted on a CMS or portal; then you can do the
publishing of the internal site via "portlets" as areas within the
constrained window
space of your portal)

One advantage of channeling all content through one server is that you only
need to put DMCA contact info on one server - for the last few weeks we've
been tracking down all the web servers on campus to ensure that they have
a DMCA notice, and we have about 200+ servers so far, not all of which we
can identify!

Graham