Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Appropriate University/Internet blocks

From: Shawn Kohrman <skohrman () HONEYNET APU EDU>
Date: Wed, 16 Jun 2004 10:57:11 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We use a "block all inbound except for approved purposes" approach.
There has been some backlash to it, but overall it's gone over well.
One argument that helped immensely was showing our directors the live
scrolling list of denied attempts.


Shawn Kohrman, CISSP
Lead Network Administrator
Azusa Pacific University
901 E. Alosta Ave.
Azusa, CA  91702
http://www.apu.edu/

Ariel Silverstone wrote:
| Tom,
|
| At Temple, we approached it very gingerly.  Generally, the following
are the
| steps we took:
|
| 1) thought hard about what it is we are really trying to do
| 2) created an application that enabled us to perform step 4 below
| 3) created a "security council" combined of representatives from every
| school and administrative department and solicited their input
| 4) asked the members to use the application to register every server,
| guaranteeing that no server which is registered be effected by a new
| firewall or firewall rule
| 5) created the new rule set
| 6) informed the community that as of a specific date, our rule set - which
| is now set to "Deny All except" rather then "permit all except" will be
| active
| 7) prepared the help desk for influx of calls
| 8) turned on the rule set
| 9) watched as less then 30 calls (out of 55,000 users) came in about this
| issue.
|
|
| Thank you,
|
| Ariel Silverstone, CISSP
| Chief Information Security Officer
| Temple University
|
|
| -----Original Message-----
| From: The EDUCAUSE Security Discussion Group Listserv
| [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tom Conley
| Sent: Wednesday, June 16, 2004 10:21 AM
| To: SECURITY () LISTSERV EDUCAUSE EDU
| Subject: [SECURITY] Appropriate University/Internet blocks
|
| This is a hackneyed old question, but one we are still struggling with:
|
| What is the appropriate level of filtering or port blocking at A
| University/Internet border?
|
| Specifically, what ports or packets are y'all (other universities)
currently
| blocking?  Do you have router configurations that you can share?
| Do you use an IP blacklist?  Are the "blacklist" and "ports list"
permanent
| or do the blocks "time out" automatically?  How do you manage all this?
|
| It seems [obvious] that the recommendations made for other industries are
| not generally accepted at universities.  But what is acceptable?
|
| Any feedback is appreciated.  Feel free to contact me off-list if you
| prefer.
|
| Thanks.
|
| Tom
|
| Tom Conley, CISSP
| Network Security
| Ohio University
| 740.593.2264
| conleyt () ohio edu
| security () ohio edu
|
| **********
| Participation and subscription information for this EDUCAUSE Discussion
| Group discussion list can be found at http://www.educause.edu/cg/.
|
| **********
| Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA0Imqy1T7fFQ18PsRAs2FAJ4iA6WIQG/yOneA5/vNDqB47EePqwCdFZmD
Ym9/9LfO5ZGFLWF+kdpPYeU=
=qtDD
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: