On Fri, 7 May 2004, Will Hill wrote: > Things have gotten ugly too. I have heard complaints from competent people > that IS has been cutting off ports without notice, requiring specific > anti-virus software (that has proven stunningly ineffective), being anal > about hubs and anything that touches "their" network. The attitude is that > the customer is always wrong.
It's not that the customer is always wrong. It's that most customers are almost always wrong. I personally oversee the hundreds of thousands of dollars we spend per year on network upgrades, building a more secure and reliable network. Only to have entire segments brought down because someone brings in their $30 Linksys or Dlink switch, plugs it in and it gets stuck in a bridge loop (there's a reason why they are SOHO). Or the phd that brings in the $50 WAP, plugs it in, with no security, so he wouldn't need a cable on his laptop. Never mind the laptop is on the desk, literally 18 inches from the wall jack. Oh yea he didn't know what the WAN port was so just plugged it in and started handing out bogus dhcp addresses to the rest of the building. And the laptop is just crawling with every piece of malware, spyare, virii and worm you can think of, yet he looks at you really confused when you ask about the last time he did a windows update. How about the lab coordinator who wanted to spend thousands of dollars to replace 100mb switched connections with 10mb shared wireless connections in his labs, cause he didn't like how the wires looked. Or the bean counter who said it was too expsensive to rewire this building, and suggested we spend $70k to "upgrade" the mostly reliable 10mb shared wired network with a completely unreliable 5mb wireless network. I could go on, but i think you get the point on why network guys are so anal. Our firewall blocks most ports incoming and outgoing by default. Bitch all you want, this has saved us more times than not. Our users have learned that a weird port or new app may need to be opened at the firewall. When ipaudit detects you have a virus, your machine is blocked by MAC address until we're sure it's clean. If someone told me all students would be bringing their laptops in from home and plugging into the network, i would have to do some major re-architecting on our network to prepare for it. It's doable here, but i hear LSU's network is a nightmare. When the laptop idea came down from above, it probably scared the hell out of LSU's IT dept. Having AD management on each laptop so they can push down updates is one of their only defenses. They know it won't work 100%, will cause problems, will be uncontrollable and a management nightmare, but it's better than doing nothing. And i'd be willing to bet that it helps more than it hurts. ray =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
