Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Cal Frye <cjf () CALFRYE COM>
Date: Mon, 16 May 2005 12:01:37 -0400
John Kristoff wrote:
On Mon, 16 May 2005 10:04:17 -0400 Gary Flynn <flynngn () JMU EDU> wrote:It wouldn't restrict innovation because the connectity would be available for the asking. But that convenience vs security thing would definitely be an issue.In the short term it will, but you're right in the long term it may not, but not because people will ask for connectivity. As one may remember when users wanted freedom from the glass house, PCs appeared. When users wanted remote connectivity to those PCs, modems appeared on the desktops.
Depends on how it is advertised. We had a lot of "interesting" IRC traffic. Investigation showed trojaned systems whose owners didn't know what "IRC" was. I am currently blocking IRC with our Packetshaper (not port-specific), while maintaining a list of hosts permitted to use IRC and evade the block. How does one get on the list? Ask, and ye shall receive. If you know enough to ask, I assume you are more likely to know what you're doing -- and in this case, that's good enough. I monitor the list of systems being blocked, as this is good sign of infections -- every time we find someone needing a good scrubbing. I hold that this sort of policy is a very good thing if you actively monitor what's being denied as yet another view into the health of your network. I wonder how those modems are going to get along with IP phones...? --Cal Frye, Network Administrator, Oberlin College www.ouuf.org, www.calfrye.com GnuPG ID 43061C16, Public key http://www.calfrye.com/cfrye.asc "To announce that there must be no criticism of the President, or that we are to stand by the President right or wrong, is not only unpatriotic and servile, but morally treasonable to the American public." -- Theodore Roosevelt. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
- Re: Inbound Default Deny Policy at Internet Border Davis, Thomas R. (May 17)
- Re: Inbound Default Deny Policy at Internet Border Mark Poepping (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeff Wolfe (May 17)
(Thread continues...)