Educause Security Discussion mailing list archives

Re: Inbound Default Deny Policy at Internet Border

From: Mark Poepping <poepping () CMU EDU>
Date: Tue, 17 May 2005 13:22:11 -0400

It seems to me reasonable that there will be a difference of opinion and
effect of default allow versus default deny.  Your particular approach
should be guided by your institution's needs and specific circumstances.
One size almost certainly doesn't fit all.  How ever you do it, if you
manage to enhance the perception of security while reasonably continuing to
serve your customers' needs, then you've probably done well.

On this thread, I would be interested to hear more about:
 1) suggestions for improving either default approach, or
 2) how to manage the inevitable exceptions

In the interest of full-disclosure:  In implementation I stand with the
default-allow crowd (to the expected variety of support and dismay:-).

Mark.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Kristoff
Sent: Monday, May 16, 2005 11:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border

On Mon, 16 May 2005 10:04:17 -0400
Gary Flynn <flynngn () JMU EDU> wrote:

It wouldn't restrict innovation because the connectity would
be available for the asking. But that convenience vs security
thing would definitely be an issue.


In the short term it will, but you're right in the long term it may
not, but not because people will ask for connectivity.  As one may
remember when users wanted freedom from the glass house, PCs appeared.
When users wanted remote connectivity to those PCs, modems appeared
on the desktops.

Something will develop so that users get 'freedom to connect' back.
Maybe not fully realized for a decade or two, but my bet is that it's
coming and I just hope I am around to see and take advantage of that
innovation.

John

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
- Re: Inbound Default Deny Policy at Internet Border Davis, Thomas R. (May 17)
- Re: Inbound Default Deny Policy at Internet Border Mark Poepping (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeff Wolfe (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 18)