Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Graham Toal <gtoal () UTPA EDU>
Date: Mon, 16 May 2005 09:34:15 -0500
Gary Flynn wrote:
We're looking at implementing a default deny inbound policy at our Internet border this summer. Anyone have any concerns or experiences they would like to share?
We instituted a default deny for the majority of ports a couple of years ago, but left a few key ports open to any address - primarily ssh, http, https, ftp, telnet, and M$ remote desktop. The original change was readily accepted - somewhat to my surprise, as I had been willing to back down if it hadn't gone well - and we're now at the stage where I would like to do the same for some of the remaining ports. For example we now have ssh on most of the systems which need console access, and the few left which are telnet only are ones I'd rather not have facing the public anyway (mostly printers, routers and switches). I'm thinking about creating an ssh->telnet gateway for legitimate access to those devices that only offer telnet, if our networking guys ask for it. We also have a legal requirement to have a DMCA notice on all our web sites, and by switching ports 80 and 443 to deny by default, we have a mechanism to enforce that policy. (Caveat: this is pending approval from above...) Deny by default has saved us big time on worms (SQL, M$ ports) and direct-smtp-based email viruses. I do appreciate the argument that academia has different requirements from industry, but protecting our infrastructure is common to both. The way we handle the objection someone raised about 'what if a student project requires full access' is that we *give that student project* full access. But not *every* student in the University on the offchance that they need it - that way lies a sewer of p2p file sharing and DMCA takedown notices. On average we have 1 or 2 requests per month for firewall holes, and we routinely grant them. It's actually useful to have this as one of our checks & balances because frequently the request for a firewall hole is the first time we hear of a new system, and it gives us an opportunity to do a risk assessment for our users. Graham ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
(Thread continues...)