Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Mon, 16 May 2005 10:05:11 -0700
Gary Flynn wrote:
Michael Sinatra wrote:Gary Flynn wrote:We're looking at implementing a default deny inbound policy at our Internet border this summer. Anyone have any concerns or experiences they would like to share?I don't really believe that a default-deny policy has a place at the _border_ of a research university. It may make sense at certain administrative department boundaries (which gives you a smaller vulnerability perimeter anyway) where there might be sensitive data. But where the mission is research and innovation, I just can't accept that we're doing anyone (even ourselves) a favor by blocking ports at the border.Out of curiosity, do you allow inbound MS-RPC and netbios at your border? SNMP?
No to both. But that's a far cry from a default-deny policy. And I can assure you that my comments are based on our experiences with just these few port blocks. But I also understand the motivation to block; I just don't think the limited effectiveness of such a policy is worth it. I also think it makes more sense to push this down to the department level, and then let people opt in, rather than forcing them to opt out. With the virtualizable (I doubt that's really a word. but...) firewalls being produced by cisco and netscreen, that becomes easier to support. In response to John's point, I think we'll see most near-term innovation directed toward getting around border blocks, via port-80 tunneling, ssh tunneling, IPv6, and end-to-end IPSEC. Terry Gray points out that, in such a world, some sites may take the rather bizarre stance of banning end-to-end encryption, so they can inspect traffic. Sigh. michael ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
- Re: Inbound Default Deny Policy at Internet Border Davis, Thomas R. (May 17)
- Re: Inbound Default Deny Policy at Internet Border Mark Poepping (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeff Wolfe (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 18)