Educause Security Discussion mailing list archives
Re: [unisog] Appropriate University/Internet blocks
From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Wed, 16 Jun 2004 12:03:42 -0400
On Jun 16, 2004, at 10:20, Tom Conley wrote:
Specifically, what ports or packets are y'all (other universities) currently blocking? Do you have router configurations that you can share? Do you use an IP blacklist? Are the "blacklist" and "ports list" permanent or do the blocks "time out" automatically? How do you manage all this?
Cornell University uses packet filtering at a few different levels. Campus-wide, we have very few port-based blocks in place. The culture and technical reality of our core network is such that wholesale blocking of ports is only recently becoming acceptable under extraordinary conditions. Also, if we were to block something like Windows Networking without offering an alternative to satisfy that functionality, we would have some serious problems from our customers. We use campus-wide blocks at our border to respond to large-scale incidents only (in addition to the normal anti-spoofing filters that EVERYONE should have on their border). More specific packet-filtering is performed at our network edge on a departmental basis. Our Edge ACL service allows local support providers to create ACLs on our Cisco routers for their own subnets. This way, we do not need to worry about creating a universal ruleset. We push the rules down to the edge and satisfy individual departmental requirements. So far, our service has been very successful in the year we have been offering it. Over a quarter of our campus subnets have some kind of Edge ACL assigned to it. This two-pronged approach, border blocks for incident response and Edge ACLs for departmental protection, is working well for us technically, administratively, and socially. For more info on our Edge ACL service, check out: <http://www.cit.cornell.edu/computer/security/edgeacls/>. We also encourage local support providers to configure personal firewalls on individual systems where practical. Some departments run their own hardware firewalls, and we work with them to create a good ruleset and compliment that firewall with our Edge ACLs on that same subnet (the "belt and suspenders" model). Also, we have RFC 1918 IP space that will route on-campus but not off-campus, allowing local support providers to remove the possibility of off-campus traffic to connect to those systems while still allowing any campus subnet to connect to those systems (which is very handy for printers). Our philosophy is to allow the requirements of our users to drive any packet filtering solution. Pushing specific rulesets closer to the protected objects allows you to tailor those rulesets more accurately, creating less disruption and more security for individual users, systems, and data sources. So, to answer your specific question, each department has the ability to decide what should and shouldn't be blocked to their subnets. Campus-wide, only anti-spoofing and routing filters are mandatory, with the exception of specific incident-related ports. Good luck. -Dan _________________ Daniel Adinolfi, CISSP Senior Security Engineer, IT Security Office Cornell University - Office of Information Technologies email: dra1 () cornell edu phone: 607-255-7657 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: [unisog] Appropriate University/Internet blocks Daniel Adinolfi (Jun 16)