Corporate Reactions to Linux (fwd)

[tschweikle at FIDUCIA.de]

lkcl <lkcl at samba.org> wrote:

> On Tue, 12 Oct 1999, Richard Kail wrote:
>
>> Hello !
>>
>> On Tue, 12 Oct 1999, Luke Kenneth Casson Leighton wrote:
>>
>> > the point i really have to make here, therefore, is that the corporation
>> > should have banned USERs from setting up unauthorised computers (or should
>> > fire anyone that does so without consulting their network authorities).
>> > i mean, how stupid can you get.  setting up a network server without
>> > reading up on the consequences of your actions.
>> >
>> > the second point is that the decision to ban linux, if followed to its
>> > logical conclusion by the unmentioned corporation, should result in all
>> > systems (listed above) being banned as well.  yes, all of them.
>>
>> If you are thinking about "keeping things up and running" it is ok to see
>> things this way.
>
> i see things in several different ways.  the conclusion point two is
> supposed to be absurd.
>
>> If you are thinking about security
>
> .. which i am.  and due to microsoft, security on this issue is totally
> out the window, and there's NOTHING that can be done about it except to
> ban users from setting up unauthorised NT-Domain-Compatible PDCs.
>
>> things are looking a little bit different.
>
>
>> Banning users from doing /something/ may be a pragmatic way to
>> keep things up and running; if you have to garantee that things are up and
>> running
>
> sorry, not possible.  ok, maybe you can come close, but it requires
> active monitoring.
>
> for example, you use samba as a WINS server. you modify the source code in
> nmbd such that it monitors for registrations of DOMAIN_NAME<1b> and
> DOMAIN_NAME<1c>.  you run one of these "monitors" on each of your
> broadcast-isolated subnets.

This would only protect against name changes. It wouldn't protect
setting up additional computers or installing disallowed operating
systems.

The user only would have to watch out not having more then one
computer with the same name online. This is easy to enforce by
using multiboot-systems.

A better way I am aware of is monitoring mac addresses inside your
LAN --- thus giving you the whole control about which computers
are allowed to access your network, putting the burden on you to
adapt every network hardware change and reconfigure your routers
and switches (cause this only makes sense if you close any ports
using unknown mac addresses).

But even this isn't waterproof: what about illegal computers using
old and known network cards?


> you can then either email / page the administrator or run
> denial-of-service attacks against the offending server to take it down (a
> drastic and not highly recommended course of action).

If you do have token ring there would be a simple DoS: send it
a "close adapter" command. Some ethernet adapters do have this
command to.

--