Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: "Scholz, Greg" <gscholz () KEENE EDU>
Date: Fri, 13 May 2005 16:29:44 -0400
Active FTP will fail. You will either need to allow for it or have users use passive FTP.
It is my understanding that many modern firewalls account for these behaviors. For example the Cisco Pix "fixup protocol ftp" (on by default in Cisco) command allows active FTP initiated from internal clients to outside servers to function when a default inbound deny exists. Of course for inbound FTP you need rules that allow 20 and 21. If you are running a firewall that does not allow these options, I would consider getting a more robust firewall before making these changes. This will ensure you have the robust feature set that may be required with the more complex configuration you are about to undertake. _________________________ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 Poor planning on your part does NOT constitute an emergency on our part - However, we will do what we can to help you out. -----Original Message----- From: Daniel Adinolfi [mailto:dra1 () CORNELL EDU] Sent: Friday, May 13, 2005 4:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border On May 13, 2005, at 15:53, Gary Flynn wrote:
Anyone have any concerns or experiences they would like to share?
Active FTP will fail. You will either need to allow for it or have users use passive FTP. Some applications like NetMeeting will similarly break. Again, judicious use of user education will help you. Of course, this may not always fix the problem, so having a management mechanism and and explicit policy for making exceptions is a Good Idea(tm). Assuming you permit the known and sanctioned server traffic, it might help you a lot with minimal overhead. We have a number of departments on-campus who have done this for their subnets successfully. (We do ACLs on our Edge on a subnet-by-subnet basis instead of at the border, allowing for more flexibility and easier management). If you go ahead and do this, we would be interested in hearing how things go. -Dan _________________ Daniel Adinolfi, CISSP Senior Security Engineer, IT Security Office Cornell University - Office of Information Technologies email: dra1 () cornell edu phone: 607-255-7657 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Scholz, Greg (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
(Thread continues...)