Re: Inbound Default Deny Policy at Internet Border (fwd)

["Scholz, Greg" <gscholz () KEENE EDU>]

1. Free exchange of information is not the same as free/uncontrolled
access to unintended information.  Try setting up servers for each
protocol that faculty requests, keep strict rules to allow access as
intended, provide a mechanism for faculty to put any content they like
out there so the sharing is intentional.  App sharing is a little more
difficult, but could still be done using secure gateways of some sort or
very small "free zones" isolated from the internal network (hopefully
the Internet users wont turn this into a P-P server <grin>), rather than
the entire network being the "free zone" with a small restricted zone.

2. If someone knows enough to ask for an exception, it is handled just
like any other IT request - NEED for academics/business function=High,
WANT to play=low - and most would be approved just for asking and then
you know where the "serves" are. Exceptions last as long as the user
requests - one of the questions that should be asked is "is this
temporary and/or how long is it needed?" Then we can flush the rule
during our periodic audits. This also helps me guarantee uptime. Kind of
hard to plan network changes around 1000 unknowns.

3. The responsibility of the end user is not IT security it is some
other business function.  There responsibility is to understand that IT
is responsible for the network security and follow the rules set forth.
It is ITs job, as the experts, to perform as consultants to help turn
their business requirements into usable technology options.  If the user
is using a hammer and nails to "fasten" their documents together, should
the office expert not tell them about the tool called a stapler?  Should
that end user say "no, this is how it has to be done"?

Comment about the "threat from within": businesses are most fearful of
the threat from within because THEY BLOCK THE INTERNET.  

Most people do not perform maintenance or repair on anything they own or
use.  But they know enough to go to experts that provide that service.

_________________________
Thank you,
Gregory R. Scholz
Lead Network Engineer
Information Technology Group
Keene State College
(603)358-2070

Poor planning on your part does NOT constitute an emergency on our part
- 
However, we will do what we can to help you out.

-----Original Message-----
From: Joel Rosenblatt [mailto:joel () COLUMBIA EDU] 
Sent: Monday, May 16, 2005 11:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border
(fwd)

Hi,

This was supposed to go to the list, not just me.

Joel

------------ Forwarded Message ------------
Date: Monday, May 16, 2005 3:54 PM -0400
From: marchany () vt edu
To: Joel Rosenblatt <joel () columbia edu>
Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border

My .02 worth.

1. The mission of the University is to create an environment where
information  can be exchanged freely.

2. Deny/All at the border is a short term solution that will cause added
paperwork whenever someone wants to do some work that requires a mod to
this  ACL. How long will it take to get an exception? How long does the
exception  last? Who's authorized to deny/grant the exception? what's
the
due process?  etc.

3. Deny/All places no responsibility on the end user. It send the
message
that  "we" will take the brunt of your bad practices. There is no
incentive
for the  user to change their habits.

4. It doesn't do much for internal attacks.

Possible solutions:

1. create a DENY/Small-subset at the border. Things like inbound 445,
137-9.

2. create a default DENY/ALL for all HOST based firewalls. Let the user
open  up what's needed. Block pings here if you want. If commercial
vulnerability  scanners can't scan because of ping blocks, then most of
the
other bad boy  scanners won't either (yeah, I know, good hackers can
find
you). If everyone  blocks pings, the machines that don't are the ones
you
want to take a closer  look and they're easy to find.

3. If a user opens up everything, they'll get hit and hopefully,
everyone
else  will be protected by their default FW rules. The victim's behavior
will be  modified after a couple of reinstalls.

4. There is no need for creating more paperwork for exception handling.
responsibility is where it needs to be ---- at the end user.

As IT people, we forget that we are managing "staplers, typewriters,
calculators" for real-world people. Dangerous office equipment, mind
you,
but  office equipment to the real world, nonetheless. The more we
interfere
with  the business, the more the business will try to circumvent and
that,
in the  long run, is more dangerous. Why? Because now you have an
environment where  the outside world (hackers) are trying to set up
covert
channels and the users  are trying to set up covert channels to get
around
your restrictions.


        -r.


---------- End Forwarded Message ----------



Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.