Educause Security Discussion mailing list archives
Re: the importance of security
From: Jon Mitchiner <jon.mitchiner () GALLAUDET EDU>
Date: Wed, 11 Aug 2004 12:45:51 -0400
I am not comfortable with the idea of port 25 blocking. The reason is because how will you know if a machine is infected or not? If you block outgoing port 25 then it's going to make it difficult for you to know whether a machine is infected with a trojan/virus/etc and you would have compromised machines on your network. I like to be aware about compromised hosts and taking them off the network quickly until they are fixed. Our approach to this was set up a transparent proxy on port 25 for unknown SMTP servers. Anyone who tries to send e-mail on port 25 is automatically redirected to our internal mail server on port 25. It accepts all mail internally and does not require SNMP authentication to send e-mails. In other words, this is a catchall mail server for unknown e-mails that probably should not have been sent in the first place. We have the e-mail server forward bounces to the security administrators so it can be reviewed and detemined if a computer needs to be disconnected from the network. It's likely that people will have some bad addresses in their address book and thus causing the bounce. There are times where there is a massive influx of e-mails to the security group maxing out their quotas but the end result is the security groups knows immediately whenever someone's computer is infected. For instance the new Beagle worm this week -- the response time was less than 5 minutes when the outbreak started and we minimized the spread quickly. When there is a virus outbreak we put the mail server in a queue mode and all mail is accepted but not processed. We search for specific keywords (e.g. .pif) and if it matches then the e-mails are automatically deleted. We've noticed that this is relatively easy to manage because we allow approved SMTP hosts to send mail directly (bypassing the transparent mail server) so we only catch e-mails that do not use the authorized SMTP hosts. The number of emails are small because most users use the authorized SMTP hosts and those that don't usually are either infected, or reading their home e-mail accounts (via their ISP). We do the transparent proxy/redirection on our border Cisco router to send the traffic back to a specific machine. It's relatively simple to set up. Jon Mitchiner Gallaudet University Dewitt Latimer wrote:
Notre Dame implemented full SMTPAuth and port 25 blocking. True...we're being a good netcitizen. However, the payback to ND (in so far as the reduction of infected machines) has been immense. -d
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- the importance of security Scott Genung (Aug 11)
- <Possible follow-ups>
- Re: the importance of security Jere Retzer (Aug 11)
- Re: the importance of security Theresa M Rowe (Aug 11)
- Re: the importance of security Weeks, Calvin W. (Aug 11)
- Re: the importance of security Scott Genung (Aug 11)
- Re: the importance of security Jere Retzer (Aug 11)
- Re: the importance of security Dewitt Latimer (Aug 11)
- Re: the importance of security Scott Genung (Aug 11)
- Re: the importance of security Cal Frye (Aug 11)
- Re: the importance of security Jon Mitchiner (Aug 11)
- Re: the importance of security Gary Flynn (Aug 11)
- Re: the importance of security Gary Flynn (Aug 11)
- Re: the importance of security Jon Mitchiner (Aug 11)
- Re: the importance of security Buz Dale (Aug 11)
- Re: the importance of security Rich Graves (Aug 11)
- Re: the importance of security Paul Russell (Aug 11)
- Re: the importance of security Mike Iglesias (Aug 11)
- Re: the importance of security Scott Weeks (Aug 12)