Re: Inbound Default Deny Policy at Internet Border

[Cal Frye <cjf () CALFRYE COM>]

John Kristoff wrote:
> On Mon, 16 May 2005 10:04:17 -0400
> Gary Flynn <flynngn () JMU EDU> wrote:
>
> > It wouldn't restrict innovation because the connectity would
> > be available for the asking. But that convenience vs security
> > thing would definitely be an issue.
>
> In the short term it will, but you're right in the long term it may
> not, but not because people will ask for connectivity.  As one may
> remember when users wanted freedom from the glass house, PCs appeared.
> When users wanted remote connectivity to those PCs, modems appeared
> on the desktops.

Depends on how it is advertised. We had a lot of "interesting" IRC traffic.
Investigation showed trojaned systems whose owners didn't know what "IRC" was. I
am currently blocking IRC with our Packetshaper (not port-specific), while
maintaining a list of hosts permitted to use IRC and evade the block. How does
one get on the list? Ask, and ye shall receive. If you know enough to ask, I
assume you are more likely to know what you're doing -- and in this case, that's
good enough.

I monitor the list of systems being blocked, as this is good sign of infections
-- every time we find someone needing a good scrubbing. I hold that this sort of
policy is a very good thing if you actively monitor what's being denied as yet
another view into the health of your network.

I wonder how those modems are going to get along with IP phones...?

--Cal Frye, Network Administrator, Oberlin College
 www.ouuf.org, www.calfrye.com
GnuPG ID 43061C16, Public key http://www.calfrye.com/cfrye.asc

  "To announce that there must be no criticism of the President, or that we are
to stand by the President right or wrong, is not only unpatriotic and servile,
but morally treasonable to the American public." -- Theodore Roosevelt.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.