Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 13 May 2005 16:44:28 -0400
On Fri, 13 May 2005 16:29:44 EDT, "Scholz, Greg" said:
Active FTP will fail. You will either need to allow for it or have users use passive FTP.It is my understanding that many modern firewalls account for these behaviors. For example the Cisco Pix "fixup protocol ftp" (on by default in Cisco) command allows active FTP initiated from internal clients to outside servers to function when a default inbound deny exists. Of course for inbound FTP you need rules that allow 20 and 21.
Of course, the firewall can only do fixups on those protocols that it knows about. It can fixup FTP - that's a 2 decade old protocol. Can it fix NetMeeting? Other H.163 applications? Do you have any Vonage users that are expecting that they can receive calls? And what's the *next* "killer app" that won't work through that firewall? Another way to look at it - do you still believe in the original "end-to-end" concept that made the Internet what it is, or are you about to go off into the "Walled Garden" model of communications? And although "Walled Garden" may be acceptable at a corporation, how do you sell it politically at a university or college? ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
_bin
Description:
Current thread:
- Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Scholz, Greg (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
(Thread continues...)