On Tue, 11 Jun 2013 19:57:17 -0400, Majdi S. Abbas <msa@latt.net> wrote:
You've never worked for one, have you?
Indeed I have. Which is why I haven't for a great many years. Academics tend to be, well, academic. That is, rather far out of touch with the realities of running / securing a network. I've used the work "incompotent" in previous conversations, but that's mostly a factor of overwork in an environment where few people are ever fired for such.
Guess what, they have /16s, they use them, and they like the ability to print from one side of campus to the other. Are you suggesting gigantic NATs with 120,000 students and faculty behind them?
Guess what, there are companies that have /8's, and they manage to keep their network(s) reasonably secured. I'm not talking about uber-large NAT; I'm talking about proper boundry security. If you cannot figure out how to keep the internet away from your printers, you should look into other lines of employment. Limiting access of the residential network into the departmental networks, is one of the first things in the design of a res-net. Otherwise, there's 25k potential script kiddies (or infected home computers now on your network) waiting to attack everything on campus. But we're headed into the weeds here...
I have a hard time blaming a school for this. I have an easy time wondering why printer manufacturers are including chargen support in firmware.
I have the same bewilderment about people allowing such unsolicited traffic into their network(s) in the first place. Even with IPv6 (where there's no NAT forcing the issue), I run a default deny policy... if nothing asked for it, it doesn't get in. Also, why the hell aren't providers not doing anything to limit spoofing?!? I'll staring right at you AT&T (former Bellsouth.) --Ricky