Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border (fwd)
From: "Scholz, Greg" <gscholz () KEENE EDU>
Date: Tue, 17 May 2005 09:46:36 -0400
1. Free exchange of information is not the same as free/uncontrolled access to unintended information. Try setting up servers for each protocol that faculty requests, keep strict rules to allow access as intended, provide a mechanism for faculty to put any content they like out there so the sharing is intentional. App sharing is a little more difficult, but could still be done using secure gateways of some sort or very small "free zones" isolated from the internal network (hopefully the Internet users wont turn this into a P-P server <grin>), rather than the entire network being the "free zone" with a small restricted zone. 2. If someone knows enough to ask for an exception, it is handled just like any other IT request - NEED for academics/business function=High, WANT to play=low - and most would be approved just for asking and then you know where the "serves" are. Exceptions last as long as the user requests - one of the questions that should be asked is "is this temporary and/or how long is it needed?" Then we can flush the rule during our periodic audits. This also helps me guarantee uptime. Kind of hard to plan network changes around 1000 unknowns. 3. The responsibility of the end user is not IT security it is some other business function. There responsibility is to understand that IT is responsible for the network security and follow the rules set forth. It is ITs job, as the experts, to perform as consultants to help turn their business requirements into usable technology options. If the user is using a hammer and nails to "fasten" their documents together, should the office expert not tell them about the tool called a stapler? Should that end user say "no, this is how it has to be done"? Comment about the "threat from within": businesses are most fearful of the threat from within because THEY BLOCK THE INTERNET. Most people do not perform maintenance or repair on anything they own or use. But they know enough to go to experts that provide that service. _________________________ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 Poor planning on your part does NOT constitute an emergency on our part - However, we will do what we can to help you out. -----Original Message----- From: Joel Rosenblatt [mailto:joel () COLUMBIA EDU] Sent: Monday, May 16, 2005 11:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border (fwd) Hi, This was supposed to go to the list, not just me. Joel ------------ Forwarded Message ------------ Date: Monday, May 16, 2005 3:54 PM -0400 From: marchany () vt edu To: Joel Rosenblatt <joel () columbia edu> Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border My .02 worth. 1. The mission of the University is to create an environment where information can be exchanged freely. 2. Deny/All at the border is a short term solution that will cause added paperwork whenever someone wants to do some work that requires a mod to this ACL. How long will it take to get an exception? How long does the exception last? Who's authorized to deny/grant the exception? what's the due process? etc. 3. Deny/All places no responsibility on the end user. It send the message that "we" will take the brunt of your bad practices. There is no incentive for the user to change their habits. 4. It doesn't do much for internal attacks. Possible solutions: 1. create a DENY/Small-subset at the border. Things like inbound 445, 137-9. 2. create a default DENY/ALL for all HOST based firewalls. Let the user open up what's needed. Block pings here if you want. If commercial vulnerability scanners can't scan because of ping blocks, then most of the other bad boy scanners won't either (yeah, I know, good hackers can find you). If everyone blocks pings, the machines that don't are the ones you want to take a closer look and they're easy to find. 3. If a user opens up everything, they'll get hit and hopefully, everyone else will be protected by their default FW rules. The victim's behavior will be modified after a couple of reinstalls. 4. There is no need for creating more paperwork for exception handling. responsibility is where it needs to be ---- at the end user. As IT people, we forget that we are managing "staplers, typewriters, calculators" for real-world people. Dangerous office equipment, mind you, but office equipment to the real world, nonetheless. The more we interfere with the business, the more the business will try to circumvent and that, in the long run, is more dangerous. Why? Because now you have an environment where the outside world (hackers) are trying to set up covert channels and the users are trying to set up covert channels to get around your restrictions. -r. ---------- End Forwarded Message ---------- Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border (fwd) Joel Rosenblatt (May 16)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border (fwd) Jon E. Mitchiner (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Willis Marti (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Scholz, Greg (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Valdis Kletnieks (May 17)