Re: Inbound Default Deny Policy at Internet Border

["Brawner, David" <dbrawner () MARYVILLE EDU>]

At Maryville University of St. Louis, we have had a default deny policy
in place both inbound and outbound for more than 2 years.  It has saved
our skins more than once.  We occasionally have an application that
requires us to investigate and open a port, but they are few and far
between after the first 3-4 weeks of use.

I know that I sleep well with the policy in place, and we have not had a
single warning from our ISP about any of our addresses port scanning,
spreading viruses, causing DDOS attacks, or "being a bad Internet
neighbor".  The policy also makes it that much harder for spyware and
viruses to spread onto our campus through our Internet connection.

The political fallout was short-lived.  We had a handful of urgent
requests at the beginning (again, within the first 3-4 weeks) and then
things settled down and have run smoothly.

Obviously, I would encourage you to go forward with a default deny
policy.  Good luck!

David S. Brawner
Manager of Network & User Services
Maryville University of Saint Louis
 

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn
Sent: Friday, May 13, 2005 2:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Inbound Default Deny Policy at Internet Border

We're looking at implementing a default deny inbound policy at our
Internet border this summer.

Anyone have any concerns or experiences they would like to share?

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.