Re: Too Many Exceptions in the Firewall

[Graham Toal <gtoal () UTPA EDU>]

> We attempt to offer centralized 
> services for web hosting, database services, etc... The problem 
> seems to be that the faculty wants to be able to touch the 
> systems providing the hosting and be able to show off their 
> quad-core Apple servers pulsing in their office. They also go 
> right to the top (CIO) and fuss causing him in turn to ask us 
> to fix it immediately...therefore causing the firewall 
> exception. Our worry is that this exception will soon be (or 
> already is) out of hand and faculty will spread the word of 
> these exceptions.

Personally I don't see a security issue with remote access
(ssh, remote desktop, encrypted VNC) as long as you have good
passwords and current patches.  Basically it's the same as
someone sitting at their desk. Now if you allow file sharing,
or general X windows calls, across the perimeter that's a
different issue, but just basic simulated sitting-at-the-keyboard
access shouldn't be a show-stopper.

I would suggest solving your problem by opening up the remote
desktop port (or ssh, or whatever you use) to all machines and
not get in the position of requiring exceptions, which as you
know are hard to manage.

The only downside I'm aware of is that if you don't generally
allow *any* incoming ports, then if one is open to everyone, you
might get people reusing that port for other purposes such as
a p2p listener.


Graham