Re: Inbound Default Deny Policy at Internet Border

[Daniel Medina <medina () COLUMBIA EDU>]

On Fri, May 13, 2005 at 06:37:12PM -0400, Gary Flynn wrote:
> I also believe today's threat environment makes shutting
> down unnecessary communications channels prudent. If
> someone wants something, we can open it. In the meantime,
> the 90+% of the people that don't aren't exposed to,
> well, you know. It shifts the responsibility to the
> people who want to assume the additional risk rather
> than exposing those who don't.
>
> How many people still believe in end to end MSRPC/Netbios
> over the Internet? Or Oracle listener? The vendors'
> own documentation recommends against it.

 If only the applications providers limited their exposure with some
intelligent defaults, assuming that "90% of the people" don't want it,
and the know it, since they've documented it.

 That would be a lot nicer than breaking end-to-end connectivity one
port at a time.

> Those dozens of postgres, mysql, ssh, remote desktop, WS-FTP,
> and VNC servers without need of Internet exposure aren't
> exposed.

 A big switch is needed on the apps:

   Option A: Local access only (default)
   Option B: Allow all (choosing this option allows anyone to connect.
             No really.  Everyone.  And they will)

Then the users who want their global servers don't need to bother you,
and the other 90% are content.

--
Daniel Medina

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.