Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Daniel Medina <medina () COLUMBIA EDU>
Date: Fri, 13 May 2005 21:35:41 -0400
On Fri, May 13, 2005 at 06:37:12PM -0400, Gary Flynn wrote:
I also believe today's threat environment makes shutting down unnecessary communications channels prudent. If someone wants something, we can open it. In the meantime, the 90+% of the people that don't aren't exposed to, well, you know. It shifts the responsibility to the people who want to assume the additional risk rather than exposing those who don't. How many people still believe in end to end MSRPC/Netbios over the Internet? Or Oracle listener? The vendors' own documentation recommends against it.
If only the applications providers limited their exposure with some intelligent defaults, assuming that "90% of the people" don't want it, and the know it, since they've documented it. That would be a lot nicer than breaking end-to-end connectivity one port at a time.
Those dozens of postgres, mysql, ssh, remote desktop, WS-FTP, and VNC servers without need of Internet exposure aren't exposed.
A big switch is needed on the apps: Option A: Local access only (default) Option B: Allow all (choosing this option allows anyone to connect. No really. Everyone. And they will) Then the users who want their global servers don't need to bother you, and the other 90% are content. -- Daniel Medina ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Scholz, Greg (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
(Thread continues...)