Re: the importance of security

[Jon Mitchiner <jon.mitchiner () GALLAUDET EDU>]

I am not comfortable with the idea of port 25 blocking.  The reason is
because how will you know if a machine is infected or not?  If you block
outgoing port 25 then it's going to make it difficult for you to know
whether a machine is infected with a trojan/virus/etc and you would have
compromised machines on your network.  I like to be aware about
compromised hosts and taking them off the network quickly until they are
fixed.

Our approach to this was set up a transparent proxy on port 25 for
unknown SMTP servers.  Anyone who tries to send e-mail on port 25 is
automatically redirected to our internal mail server on port 25.  It
accepts all mail internally and does not require SNMP authentication to
send e-mails.  In other words, this is a catchall mail server for
unknown e-mails that probably should not have been sent in the first place.

We have the e-mail server forward bounces to the security administrators
so it can be reviewed and detemined if a computer needs to be
disconnected from the network.  It's likely that people will have some
bad addresses in their address book and thus causing the bounce.  There
are times where there is a massive influx of e-mails to the security
group maxing out their quotas but the end result is the security groups
knows immediately whenever someone's computer is infected.  For instance
the new Beagle worm this week -- the response time was less than 5
minutes when the outbreak started and we minimized the spread quickly.

When there is a virus outbreak we put the mail server in a queue mode
and all mail is accepted but not processed.  We search for specific
keywords (e.g. .pif) and if it matches then the e-mails are
automatically deleted.  We've noticed that this is relatively easy to
manage because we allow approved SMTP hosts to send mail directly
(bypassing the transparent mail server) so we only catch e-mails that do
not use the authorized SMTP hosts.  The number of emails are small
because most users use the authorized SMTP hosts and those that don't
usually are either infected, or reading their home e-mail accounts (via
their ISP).

We do the transparent proxy/redirection on our border Cisco router to
send the traffic back to a specific machine.  It's relatively simple to
set up.

Jon Mitchiner
Gallaudet University

Dewitt Latimer wrote:

> Notre Dame implemented full SMTPAuth and port 25 blocking.
> True...we're being a good netcitizen.  However, the payback to ND (in
> so far as the reduction of infected machines) has been immense.
>
> -d



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.