Re: Appropriate University/Internet blocks

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

Hello,

We implemented Internet/CA*net 4 perimeter port blocking where the choice of ports to
block was made originally for 'firefighting' reasons but since have evolved into best
practices. The list includes all Microsoft well-known service ports - 135, 137-9, 445 as
well as the easy ones - SNMP, TFTP, some ICMP codes. We also install temporary blocks on
backdoor ports as a part of incident response. I believe this action has served us well
with the Sasser and other blended threat incidents and the University community has
generally supported it.

Where we've run into controversy is port blocking on **other** perimeters - wireless/wired
backbone and xDSL/wired backbone. A sizeable number of users object to the loss of
Microsoft services for shares or Exchange-Outlook functionality. Of course, the IT side of
this is now there are 'breaches in the dyke' - it's more difficult to manage issues with
users on the other sides of these perimeters.

As far as hardware goes, the port filtering is done on open-source routers with 50%
utilized GigE connections - no noticeable performance problems.

Mike

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.