UK Web Focus (Brian Kelly)

Innovation and best practices for the Web

Strictly Forbidden

Posted by Brian Kelly on 29 Jun 2007

Whilst attending the Museums Mashup which preceded the UK Museums and the Web 2007 conference recently I spotted the following notice which was pinned on the wall in several of the PC cluster rooms (and thanks to Jim O’Donnell for taking this and other photos at the event).

Strictly Forbidden notice.

As someone who used to work in a number of IT Service departments I’m aware of potential security implications. But the tone of this notice strikes me as inappropriate.

Michael Nolan's PowerPoint slidesAnd it also seems to be out of sync with the trend towards more user-focussed IT Service departments, articulated in the introduction to the UCISA IT Support Staff Symposium 2007 given by David Harrison, UCISA chair who argued that IT Services departments need to stop saying that they are user-focussed and actually mean it.

Michael Nowlan, Director of Information Systems Services at Trinity College Dublin made a similar point at the TERENA Networking the Network 2007 conference recently. As can be seen from his opening three slides (PowerPoint format) in a session on The Weakest Link? – a panel discussion on campus networks Michael suggested that the IT Centre might actually be the weakest link within an institution, focussing on its role in protecting the infrastructure by denying access to services to the detriment of the user community. And Michael challenged the notion of bans on technologies such as Skype and prohibitting students from attaching devices to the campus network.

In an email Michael recently summarised what being user-focussed means to the IT services department at Trinity College Dublin:

  • Yes before No
  • Allow before disallow
  • Open rather than closed
  • Connect to the network on a device-agnostic basis

I think this is a great summary of what “IT Services 2.0” should be about. And personally I think it should be strictly forbidden to put up notices containing the words “strictly forbidden” on campuses :-)

Technorati Tags: ukmw07

6 Responses to “Strictly Forbidden”

  1. James Clay said

    This kind of notice is quite “normal” in FE. I use to be able to plug in my laptop (a Mac PowerBook) into many college networks without any problems and access not only the network but also servers containing student work.

    I suspect that the reason behind this notice is that the network is not secure and adding a non-locked down device will allow access to a range of servers and services.

    I do remember plugging in my PowerBook into the network at the GMEX centre in Manchester, couldn’t access anything, and in a few minutes I had a posse of technicians come down and ask me why I was plugging in an unauthorised Mac onto the network.

    So technically it is possible I guess to shut down a network so that unauthorised devices wouldn’t work.


  2. As someone with some responsibility for the notice, I agree that it needs updating. The text is several years old and pre-dates our provision of a wireless service for access by student PCs. The tone can easily be improved by directing them to this service. This notice will get reviewed.

    However, we will continue to strictly forbid non University managed devices being plugged directly in to the main campus network.

  3. Hi Peter
    Many thanks for your response.
    When you say that non University managed device can’t be plugged directly in to the main campus network I assume that this doesn’t stop PDAs, iPods, etc being plugged into an authorised networked PC?

  4. USB connections are available. Devices can be plugged in, whether they work or not is a different matter. In order to provide a reliable service the PCs are locked down to prevent modification by students. Any device requiring privileged access to the PC is not going to work. We also take measures to prevent PCs being booted from such devices.
    There is a balance between provision of functionality, security, reliability and effort to provide and support services. “Yes before No”, “Allow before disallow” and “Open rather than closed” are very positive statements which can be taken on board when designing new software. I don’t think you’ll find them in any guidance on network or system security.

  5. I agree that the barriers are lower with software design, but the user focused statements refer to attitude rather than practice – everyone would agree it’s a bad idea to open up your network without any thought about the consequences – but when a request is made, shouldn’t we be saying “Yes” more than “No”, provided it can be done securely, reliably, to budget etc?

    Conversely, Getting Real by 37signals says start with no – make features work hard to be implemented, the justification seemingly that users only know what they want, and don’t think about the wider issues. With limited development resources, it’s the job of the developers (or whoever, in the case of networks) to identify what will give the most overall benefit by listening to everyone – even those who aren’t saying anything (the silent majority often being the most important group of users).

  6. I completely agree with Brian that the attitude in a lot of IT Services need to change but, at the same time, I 100% agree with the sort of security that Peter Burnham has implemented at University of Leicester.

    As Peter and Michael said above, it would be crazy just to allow random people to plug random devices into random ports on your network. Its a massive security problem to do so – not only for your network but for other users. Its not user-focussed to allow a single user onto your network if their computer then passes on a virus to 50 of your other users!

    I feel you get a better overview of Michael Nowlan’s slides if you look at all 6 and watch the presentation. I don’t think he is really saying we should allow any computer to be put randomly onto the network, but is saying that we should design the network for the purposes of allowing these sort of things. So, for example, you have your network designed so it goes from your academic staff who sit on a network with very few restrictions to visitors to the University who have access to a section of the wireless network which allows only web access (or facilities dictated by something like Eduroam). In Leicester’s case, they are going in that direction by offering a wireless service for students.

    There’s 2 really simple reasons why this hasn’t happened all that much anywhere is that implementing the necessary technologies (such as 802.1X routers and NAC/NAP) is (a) furiously expensive, and (b) for networking technologies really quite young. I applaud the fact that TCD seem to be ahead of many in this – its just a shame that when many connect their devices to the network they will find it useless with email because TCD signed away their email to the not-IMAP-supporting Gmail…

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: