>
> In any case they don't have to open the port to every machine in campus
> just the machine that you run the server at should be enough.
The server isn't our problem - we'd just put any Brunel RLS on a different
port. The problem is that it needs to be accessed FROM a _UI_.
All ports can be misused; the bad guys might even start deliberately using
ones opened for Grid services. As I understand it, the _objection_ is that
these ports are _particularly_ commonly used in various attacks.
If access was granted to all machines on campus, any one of the thousands
of them could be misused by any one of hundreds of computing students.
Only a ludicrously small proportion would ever be used by physicists for
legitimate LCG work, for a significant risk that Brunel gets a bad rep for
allowing the attacks (and of course there's the poor sod at the receiving
end...).
Why not have just one UI on a fixed IP and have them all use that?
Because physicist are selfish ******* who insist on their own
machines, and then on their own laptops that work anywhere on campus, and
on being able to use the wireless LAN when they come to visit...[*]
We only have finite resources - continuously fiddling with the site
firewall seems a particularly stupid use of them.
Henry
[* I'd go with the cattle prod idea to train them otherwise, but they
won't let me. And the lightweight, mobile UI _was_ part of the
architecture...]
--
Dr. Henry Nebrensky [log in to unmask]
http://people.brunel.ac.uk/~eesrjjn
"The opossum is a very sophisticated animal.
It doesn't even get up until 5 or 6 p.m."
|