Re: Internet ingress port-blocking

[Andy Hooper <hooper () QUEENSU CA>]

Along with RFC 1918, you have to block your own IP address range(s)
coming in as source address on external interfaces.

- Andy Hooper - Queen's University -

Brian Helman wrote on 2017-08-17 1:50 PM:
> Sure, that's Security 101, but I'm looking to understand the generic ruleset for traffic that shouldn't enter 
> anyone's network .. not mine specifically.   Again, e.g, blocking RFC 1918 addresses.  I'm not looking to secure my 
> services at this point, that is done elsewhere on my network.  At this point of access, I'm looking to control 
> unwanted/generally malicious traffic. 
>
> Thanks,
> Brian
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Velislav K Pavlov
> Sent: Thursday, August 17, 2017 12:55 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Internet ingress port-blocking
>
> Map your external attack surface. Figure out what is visible (asset, header, service/port). Break out the visible 
> assets by what you (IT/Sec) manage and don't manage. Start with cleaning up what you manage and have control over. 
> Move to what you don't manage. Communicate with the appropriate parties and make them part of the solution. Show them 
> reports and your findings. Maybe users/admins don't know what is exposed and visible. Limiting your attack surface 
> will reduce the network noise. Once you cleaned up, G.D. registration process is a neat way to be proactive. 
>
> Vel Pavlov | Coordinator, IT Security 
> M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, 
> Security+, CNA, MPCS, ITILv3F, A+ 
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Garrett Hildebrand
> Sent: Thursday, August 17, 2017 12:21 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Internet ingress port-blocking
>
> **Notice** This message is from a sender outside of the Ferris Office 365 mail system. Use caution when clicking 
> links or opening attachments. For assistance determining if this email is safe, please contact TAC.
> ________________________________
>
> > We are reviewing the rulesets  on our ingress routers from the Internet.  I'd like to ask what general 
> > ports/applications/services/etc are people blocking?  I'm not talking about specific DDoS hosts/subnets or the like, 
> > just general practice (e.g blocking RFC 1918 addresses coming from the Internet).
>
> We block all connections from off-campus by default. We have a web-based Server Registration tool that allows people 
> to open ports on the border firewall for systems they are responsible for.
>
> Here are the choices one gets in that tool:
>
> *       This system does not need to be contacted from off campus. (No ports open.)
>
> o       I am running Linux and want to use SSH to access my computer from off-campus. (Port 22 enabled.)
>
> o       This system is a server. I run my own firewall or have taken other security precautions. (Warning, all ports 
> will be open.)
>
> o       I would like to specify which ports to open. (Advanced)
>
> Garrett
> -==-==-
> G.D. Hildebrand              Senior IT Security Analyst
> UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
> tel.: 949-824-8913                   email: gdh () uci edu
> Created new page 15 December 2016
>
> Don't be a victim of phishing. Legitimate businesses don't ask you to send sensitive information through insecure 
> channels. Learn more:
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fer.educause.edu%2Fblogs%2F2016%2F3%2Fapril-dont-get-hooked&data=02%7C01%7CVelislavPavlov%40ferris.edu%7C60b0715af7ea419926c708d4e58bfc8c%7C64b0362e85c04e95a4ce5651d96cb739%7C1%7C0%7C636385836785274467&sdata=Ljat4%2Fysr479UhjyzILvZU3%2FqONZN5LWgpfXFQMEdcI%3D&reserved=0
> Handle passwords wisely: 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bbc.com%2Fnews%2Ftechnology-37510501&data=02%7C01%7CVelislavPavlov%40ferris.edu%7C60b0715af7ea419926c708d4e58bfc8c%7C64b0362e85c04e95a4ce5651d96cb739%7C1%7C0%7C636385836785274467&sdata=ToI3CmZegh0TUvTcvkYr1FYLxAKaqbpbwxOhho1xbxA%3D&reserved=0
>
> Today (Thu, 17 Aug 2017) at 15:53 -0000 Brian Helman wrote:
>
> > We are reviewing the rulesets  on our ingress routers from the Internet.  I'd like to ask what general 
> > ports/applications/services/etc are people blocking?  I'm not talking about specific DDoS hosts/subnets or the like, 
> > just general practice (e.g blocking RFC 1918 addresses coming from the Internet).
> >
> > Thanks,
> > Brian
> >
> > (x-posting to the NETMAN list as well)
> >
> >
> > ____________________________________
> > Brian Helman, M.Ed |  Director, ITS/Networking Services | *: 
> > 978.542.7272 Salem State University, 352 Lafayette St., Salem 
> > Massachusetts 01970
> > GPS: 42.502129, -70.894779