Re: Inbound Default Deny Policy at Internet Border

[Daniel Adinolfi <dra1 () CORNELL EDU>]

On May 13, 2005, at 15:53, Gary Flynn wrote:
> Anyone have any concerns or experiences they
> would like to share?

Active FTP will fail.  You will either need to allow for it or have
users use passive FTP.

Some applications like NetMeeting will similarly break.  Again,
judicious use of user education will help you.  Of course, this may not
always fix the problem, so having a management mechanism and and
explicit policy for making exceptions is a Good Idea(tm).

Assuming you permit the known and sanctioned server traffic, it might
help you a lot with minimal overhead.  We have a number of departments
on-campus who have done this for their subnets successfully.  (We do
ACLs on our Edge on a subnet-by-subnet basis instead of at the border,
allowing for more flexibility and easier management).

If you go ahead and do this, we would be interested in hearing how
things go.

-Dan

_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 () cornell edu   phone: 607-255-7657

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.