Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Fri, 13 May 2005 16:07:40 -0400
On May 13, 2005, at 15:53, Gary Flynn wrote:
Anyone have any concerns or experiences they would like to share?
Active FTP will fail. You will either need to allow for it or have users use passive FTP. Some applications like NetMeeting will similarly break. Again, judicious use of user education will help you. Of course, this may not always fix the problem, so having a management mechanism and and explicit policy for making exceptions is a Good Idea(tm). Assuming you permit the known and sanctioned server traffic, it might help you a lot with minimal overhead. We have a number of departments on-campus who have done this for their subnets successfully. (We do ACLs on our Edge on a subnet-by-subnet basis instead of at the border, allowing for more flexibility and easier management). If you go ahead and do this, we would be interested in hearing how things go. -Dan _________________ Daniel Adinolfi, CISSP Senior Security Engineer, IT Security Office Cornell University - Office of Information Technologies email: dra1 () cornell edu phone: 607-255-7657 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Scholz, Greg (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
(Thread continues...)