Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border (fwd)
From: "Jon E. Mitchiner" <jon.mitchiner () GALLAUDET EDU>
Date: Tue, 17 May 2005 08:38:33 -0400
Interesting perspective, but I have to disagree with the statements below. In a building it is normally expected that most rooms and offices will contain a lock. My interpretation of the comments below indicates that there should be no locks, and possibly, no door and it is the user's responsibility to install them. Most users do not have carpentry skills. I believe the responsibility is split both between the user and the IT team. IT should be responsible for protecting the network and try to minimize the chances for a user's computer from being compromised. The user is expected to close and lock their windows and doors when they leave the office. The same thing applies with their computers, users should refrain from doing activities that may impact the network, such as opening questionable e-mail attachments. The important thing is IT should remain accessible to the users. If a user wants to install an application that requires some ports to be open to their computer from the Internet then IT should make that possible unless there are reasons why it is not advisable. This takes far less time to accomodate the user rather than having someone in IT spending time to reformat and reinstall the OS and applications for the user. My experience here so far is majority of the attacks originate outside of the University. Occasionally, a students laptop (or computer) gets compromised when they are off-site and the student brings it into our network and the malicious activities continue without the user's knowledge or consent. Jon -- Jon E. Mitchiner Special Projects Manager ITS, Gallaudet University (202) 651-5300 (202) 651-5477 (Fax) Joel Rosenblatt wrote:
Hi, This was supposed to go to the list, not just me. Joel ------------ Forwarded Message ------------ Date: Monday, May 16, 2005 3:54 PM -0400 From: marchany () vt edu To: Joel Rosenblatt <joel () columbia edu> Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border My .02 worth. 1. The mission of the University is to create an environment where information can be exchanged freely. 2. Deny/All at the border is a short term solution that will cause added paperwork whenever someone wants to do some work that requires a mod to this ACL. How long will it take to get an exception? How long does the exception last? Who's authorized to deny/grant the exception? what's the due process? etc. 3. Deny/All places no responsibility on the end user. It send the message that "we" will take the brunt of your bad practices. There is no incentive for the user to change their habits. 4. It doesn't do much for internal attacks. Possible solutions: 1. create a DENY/Small-subset at the border. Things like inbound 445, 137-9. 2. create a default DENY/ALL for all HOST based firewalls. Let the user open up what's needed. Block pings here if you want. If commercial vulnerability scanners can't scan because of ping blocks, then most of the other bad boy scanners won't either (yeah, I know, good hackers can find you). If everyone blocks pings, the machines that don't are the ones you want to take a closer look and they're easy to find. 3. If a user opens up everything, they'll get hit and hopefully, everyone else will be protected by their default FW rules. The victim's behavior will be modified after a couple of reinstalls. 4. There is no need for creating more paperwork for exception handling. responsibility is where it needs to be ---- at the end user. As IT people, we forget that we are managing "staplers, typewriters, calculators" for real-world people. Dangerous office equipment, mind you, but office equipment to the real world, nonetheless. The more we interfere with the business, the more the business will try to circumvent and that, in the long run, is more dangerous. Why? Because now you have an environment where the outside world (hackers) are trying to set up covert channels and the users are trying to set up covert channels to get around your restrictions. -r. ---------- End Forwarded Message ---------- Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border (fwd) Joel Rosenblatt (May 16)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border (fwd) Jon E. Mitchiner (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Willis Marti (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Scholz, Greg (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Valdis Kletnieks (May 17)