Re: [unisog] Appropriate University/Internet blocks

[Daniel Adinolfi <dra1 () CORNELL EDU>]

On Jun 16, 2004, at 10:20, Tom Conley wrote:

> Specifically, what ports or packets are y'all (other universities)
> currently blocking?  Do you have router configurations that you can
> share? Do you use an IP blacklist?  Are the "blacklist" and "ports
> list" permanent or do the blocks "time out" automatically?  How do you
> manage all this?

Cornell University uses packet filtering at a few different levels.

Campus-wide, we have very few port-based blocks in place.  The culture
and technical reality of our core network is such that wholesale
blocking of ports is only recently becoming acceptable under
extraordinary conditions.  Also, if we were to block something like
Windows Networking without offering an alternative to satisfy that
functionality, we would have some serious problems from our customers.

We use campus-wide blocks at our border to respond to large-scale
incidents only (in addition to the normal anti-spoofing filters that
EVERYONE should have on their border).  More specific packet-filtering
is performed at our network edge on a departmental basis.  Our Edge ACL
service allows local support providers to create ACLs on our Cisco
routers for their own subnets.  This way, we do not need to worry about
creating a universal ruleset.  We push the rules down to the edge and
satisfy individual departmental requirements.  So far, our service has
been very successful in the year we have been offering it.  Over a
quarter of our campus subnets have some kind of Edge ACL assigned to
it.

This two-pronged approach, border blocks for incident response and Edge
ACLs for departmental protection, is working well for us technically,
administratively, and socially.  For more info on our Edge ACL service,
check out:

<http://www.cit.cornell.edu/computer/security/edgeacls/>.

We also encourage local support providers to configure personal
firewalls on individual systems where practical.  Some departments run
their own hardware firewalls, and we work with them to create a good
ruleset and compliment that firewall with our Edge ACLs on that same
subnet (the "belt and suspenders" model).  Also, we have RFC 1918 IP
space that will route on-campus but not off-campus, allowing local
support providers to remove the possibility of off-campus traffic to
connect to those systems while still allowing any campus subnet to
connect to those systems (which is very handy for printers).

Our philosophy is to allow the requirements of our users to drive any
packet filtering solution.  Pushing specific rulesets closer to the
protected objects allows you to tailor those rulesets more accurately,
creating less disruption and more security for individual users,
systems, and data sources.

So, to answer your specific question, each department has the ability
to decide what should and shouldn't be blocked to their subnets.
Campus-wide, only anti-spoofing and routing filters are mandatory, with
the exception of specific incident-related ports.

Good luck.

-Dan
_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 () cornell edu   phone: 607-255-7657

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.