Re: Inbound Default Deny Policy at Internet Border

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 13 May 2005 16:29:44 EDT, "Scholz, Greg" said:
> > Active FTP will fail.  You will either need to allow for it or have
> > users use passive FTP.
>
> It is my understanding that many modern firewalls account for these
> behaviors.  For example the Cisco Pix "fixup protocol ftp" (on by
> default in Cisco) command allows active FTP initiated from internal
> clients to outside servers to function when a default inbound deny
> exists.  Of course for inbound FTP you need rules that allow 20 and 21.

Of course, the firewall can only do fixups on those protocols that it knows
about.  It can fixup FTP - that's a 2 decade old protocol.  Can it fix NetMeeting?
Other H.163 applications?  Do you have any Vonage users that are expecting that
they can receive calls?  And what's the *next* "killer app" that won't work
through that firewall?

Another way to look at it - do you still believe in the original "end-to-end"
concept that made the Internet what it is, or are you about to go off into
the "Walled Garden" model of communications?

And although "Walled Garden" may be acceptable at a corporation, how do you
sell it politically at a university or college?

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: _bin
Description: