Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Inbound Default Deny Policy at Internet Border

From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Sun, 15 May 2005 22:01:14 -0700
Gary Flynn wrote:

We're looking at implementing a default deny
inbound policy at our Internet border this
summer.

Anyone have any concerns or experiences they
would like to share?


I don't really believe that a default-deny policy has a place at the
_border_ of a research university.  It may make sense at certain
administrative department boundaries (which gives you a smaller
vulnerability perimeter anyway) where there might be sensitive data.
But where the mission is research and innovation, I just can't accept
that we're doing anyone (even ourselves) a favor by blocking ports at
the border.  Between the number of exceptions that inevitably gets
requested and the general permeability of the physical boundaries of a
college campus, in the end the risk reduction of such a policy becomes
substantially weakened.  I don't think such weak risk reduction trumps
the innovation-restricting and general inconvenience (equalling lost
productivity and increased costs) that such a policy imposes.  But I
recognize the diversity of institutions on this list, and encourage you
to think about how such a policy supports or clashes with your
institution's mission.

michael

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: