Re: Inbound Default Deny Policy at Internet Border (fwd)

["Jon E. Mitchiner" <jon.mitchiner () GALLAUDET EDU>]

Interesting perspective, but I have to disagree with the statements below.

In a building it is normally expected that most rooms and offices will
contain a lock.  My interpretation of the comments below indicates that
there should be no locks, and possibly, no door and it is the user's
responsibility to install them.  Most users do not have carpentry skills.

I believe the responsibility is split both between the user and the IT
team.  IT should be responsible for protecting the network and try to
minimize the chances for a user's computer from being compromised.  The
user is expected to close and lock their windows and doors when they
leave the office.  The same thing applies with their computers, users
should refrain from doing activities that may impact the network, such
as opening questionable e-mail attachments.

The important thing is IT should remain accessible to the users.  If a
user wants to install an application that requires some ports to be open
to their computer from the Internet then IT should make that possible
unless there are reasons why it is not advisable.  This takes far less
time to accomodate the user rather than having someone in IT spending
time to reformat and reinstall the OS and applications for the user.

My experience here so far is majority of the attacks originate outside
of the University.  Occasionally, a students laptop (or computer) gets
compromised when they are off-site and the student brings it into our
network and the malicious activities continue without the user's
knowledge or consent.

Jon

--
Jon E. Mitchiner
Special Projects Manager
ITS, Gallaudet University
(202) 651-5300
(202) 651-5477 (Fax)

Joel Rosenblatt wrote:

> Hi,
>
> This was supposed to go to the list, not just me.
>
> Joel
>
> ------------ Forwarded Message ------------
> Date: Monday, May 16, 2005 3:54 PM -0400
> From: marchany () vt edu
> To: Joel Rosenblatt <joel () columbia edu>
> Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border
>
> My .02 worth.
>
> 1. The mission of the University is to create an environment where
> information  can be exchanged freely.
>
> 2. Deny/All at the border is a short term solution that will cause added
> paperwork whenever someone wants to do some work that requires a mod to
> this  ACL. How long will it take to get an exception? How long does the
> exception  last? Who's authorized to deny/grant the exception? what's the
> due process?  etc.
>
> 3. Deny/All places no responsibility on the end user. It send the message
> that  "we" will take the brunt of your bad practices. There is no
> incentive
> for the  user to change their habits.
>
> 4. It doesn't do much for internal attacks.
>
> Possible solutions:
>
> 1. create a DENY/Small-subset at the border. Things like inbound 445,
> 137-9.
>
> 2. create a default DENY/ALL for all HOST based firewalls. Let the user
> open  up what's needed. Block pings here if you want. If commercial
> vulnerability  scanners can't scan because of ping blocks, then most
> of the
> other bad boy  scanners won't either (yeah, I know, good hackers can find
> you). If everyone  blocks pings, the machines that don't are the ones you
> want to take a closer  look and they're easy to find.
>
> 3. If a user opens up everything, they'll get hit and hopefully, everyone
> else  will be protected by their default FW rules. The victim's behavior
> will be  modified after a couple of reinstalls.
>
> 4. There is no need for creating more paperwork for exception handling.
> responsibility is where it needs to be ---- at the end user.
>
> As IT people, we forget that we are managing "staplers, typewriters,
> calculators" for real-world people. Dangerous office equipment, mind you,
> but  office equipment to the real world, nonetheless. The more we
> interfere
> with  the business, the more the business will try to circumvent and
> that,
> in the  long run, is more dangerous. Why? Because now you have an
> environment where  the outside world (hackers) are trying to set up
> covert
> channels and the users  are trying to set up covert channels to get
> around
> your restrictions.
>
>
>        -r.
>
>
> ---------- End Forwarded Message ----------
>
>
>
> Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.