Educause Security Discussion mailing list archives
Re: Preparing for Default Deny Firewall
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 1 Feb 2005 08:38:41 -0800
One small note: You should allows incoming ICMP packets of type 3 code 4 ( Fragmentation needed but no frag. bit set ). These packets are needed for Path Maximum Transmission Unit Discovery (PMTUD). PMTUD is enabled by default in Windows XP and Server 2003. If you do not allow these packets in, it may cause problems for some people viewing your school's website or accessing other services. Steven -----Original Message----- From: Cary, Kim [mailto:Kim.Cary () PEPPERDINE EDU] Sent: Tuesday, February 01, 2005 8:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Preparing for Default Deny Firewall We will shortly be going to an default-deny firewall (inbound only) here (8000 students 1000 staff, 7 campuses on a WAN). For those of you that have such a situation, I would appreciate any tips you have for: 1. Moving from block known bad to permit known good inbound posture. 2. Procedures you have to processing & approving exceptions for new or changed services. For those of you that decided against this type of firewall, I think our implementation would be informed of some things to look out for by hearing from you about your issues that prevent you from going to this position. We also are in receipt of a recommendation that states our router ACLs should also be default deny. Any tips/comments on that recommendation would be welcome as well. Kim Cary Infrastructure Security Administrator Pepperdine University 310 506 6655 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Preparing for Default Deny Firewall Cary, Kim (Feb 01)
- <Possible follow-ups>
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Arturo Servin (Feb 01)
- Re: Preparing for Default Deny Firewall Scholz, Greg (Feb 01)
- Re: Preparing for Default Deny Firewall Brawner, David (Feb 01)
- Re: Preparing for Default Deny Firewall John Kristoff (Feb 01)
- Re: Preparing for Default Deny Firewall Yantis, Jonathan Lindsey (Feb 01)
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Jeff Kell (Feb 01)