where to host web server
Nadav Har'El
nyh at math.technion.ac.il
Tue Oct 23 17:53:33 IST 2012
On Tue, Oct 23, 2012, Shahar Dag wrote about "RE: where to host web server":
> In a large system, you can't let users do whatever they want, you must
> protect your network. For example you will not let a user build & run a DNS
> server on the corporate network, you will give him a limited private
> network.
Treating your network as a "corporate network" is your first mistake ;-)
A university is not a corporation, it's an institute of *learning*.
And why-the-heck NOT allow a student to run a DNS server?? Why not allow
a student (say, graduate student) to host, for example some non-profit
organization like "hamakor.org.il" or "imu.org.il" (the Israeli
Mathematic Union)? And why not allow a student to develop the next
generation DNS server, or invent its next replacement - and allow the
student to try it on the real Internet?
Surely, not every student should be allowed such control, and not on every
host - there can be rules, quotas, designated computers with full
Internet access (while the rest are firewalled), and so on. If one student
uses a shared computer to run a DNS server and takes 90% of the its CPU,
or half the network bandwidth, or does something illegal or for commercial
benefit, he can be repremanded. But why do you need a blanket rule that no
student can ever have a DNS server, ever, regardless of reason? Just because
it's easier for the admins, and easy to enforce?
> If a Technion user misbehaves on the internet, it may block all the Technion
> from access to some sites. We would like to prevent it.
This is wrong. One might say the same thing about Amazon (who hosts
anybody) or any other place you send your students to. The reality is
that everybody knows that large institutions cannot prevent individuals
from misbehaving, and all anybody expects from you is to invest some
effort in catching these misbehaviors - not to ensure that they never
happen at all.
> If a student builds a web server, and the web server is open to the world,
> the student can use the server as a back door for anonymous entrance to the
> Technion via his server. To prevent this we limit the scope of access.
Anonymous access to what - to his own files?
Yes, I know about privilige escalation bugs, and everything. I have
more than 20 years experience in system administration and computer
security ;-) But so what. Again - you're throwing out the baby with the
bathwater.
It's sad that I, who studied 20 years ago, had much more opportinity to
learn about Internet protocols than students who studies today - when it
should have been easier, not harder, to be a *server* on the Internet.
Again, I'm not saying the security concerns don't exist. I'm just
saying that they can be tolerated, to achieve the loftier goal which is
to let the students experiment.
> 20 years ago the internet considered a safe place, today it isn't so you
> must limit access.
No, 20 years ago the Internet was NOT a safe place, and every computer I
had access to during that period was cracked at least once - including
the most major computers in the Technion. But you know what - nothing
terrible happened! And if anything, the Internet became safer since, not
less safe. Today it's much easier to keep a (almost) hole-free computer,
to run iptables, to separate between different users (virtual machines,
computers, etc.), and so on.
The irony is that because of all these rules, what you end up doing is
looking for a host that doesn't have these rules :-)
P.S. If it wasn't clear yet, I'll repeat: I am not suggesting that every
single computer in the Technion should be globally routable (though this was
the case 20 years ago). What I'm suggesting is that every department
must have at least one or several such computers - running multi-user
Linux or some cloud software with VMs, or something - and allow students
to do things on it with some reasonable limitations (non-profit,
legality, etc.). It will be easier for the Technion to set such a thing
up, and it will not need to use Amazon and the likes.
--
Nadav Har'El | Tuesday, Oct 23 2012, 7 Heshvan 5773
nyh at math.technion.ac.il |-----------------------------------------
Phone +972-523-790466, ICQ 13349191 |The only "intuitive" interface is the
http://nadav.harel.org.il |nipple. After that, it's all learned.
More information about the Linux-il
mailing list