Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border (fwd)
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Mon, 16 May 2005 23:08:19 -0400
Hi, This was supposed to go to the list, not just me. Joel ------------ Forwarded Message ------------ Date: Monday, May 16, 2005 3:54 PM -0400 From: marchany () vt edu To: Joel Rosenblatt <joel () columbia edu> Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border My .02 worth. 1. The mission of the University is to create an environment where information can be exchanged freely. 2. Deny/All at the border is a short term solution that will cause added paperwork whenever someone wants to do some work that requires a mod to this ACL. How long will it take to get an exception? How long does the exception last? Who's authorized to deny/grant the exception? what's the due process? etc. 3. Deny/All places no responsibility on the end user. It send the message that "we" will take the brunt of your bad practices. There is no incentive for the user to change their habits. 4. It doesn't do much for internal attacks. Possible solutions: 1. create a DENY/Small-subset at the border. Things like inbound 445, 137-9. 2. create a default DENY/ALL for all HOST based firewalls. Let the user open up what's needed. Block pings here if you want. If commercial vulnerability scanners can't scan because of ping blocks, then most of the other bad boy scanners won't either (yeah, I know, good hackers can find you). If everyone blocks pings, the machines that don't are the ones you want to take a closer look and they're easy to find. 3. If a user opens up everything, they'll get hit and hopefully, everyone else will be protected by their default FW rules. The victim's behavior will be modified after a couple of reinstalls. 4. There is no need for creating more paperwork for exception handling. responsibility is where it needs to be ---- at the end user. As IT people, we forget that we are managing "staplers, typewriters, calculators" for real-world people. Dangerous office equipment, mind you, but office equipment to the real world, nonetheless. The more we interfere with the business, the more the business will try to circumvent and that, in the long run, is more dangerous. Why? Because now you have an environment where the outside world (hackers) are trying to set up covert channels and the users are trying to set up covert channels to get around your restrictions. -r. ---------- End Forwarded Message ---------- Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border (fwd) Joel Rosenblatt (May 16)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border (fwd) Jon E. Mitchiner (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Willis Marti (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Scholz, Greg (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Valdis Kletnieks (May 17)