Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preparing for Default Deny Firewall

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 1 Feb 2005 08:38:41 -0800
One small note: You should allows incoming ICMP packets of type 3 code 4
( Fragmentation needed but no frag. bit set ).  These packets are needed
for Path Maximum Transmission Unit Discovery (PMTUD).  PMTUD is enabled
by default in Windows XP and Server 2003.  If you do not allow these
packets in, it may cause problems for some people viewing your school's
website or accessing other services.
 
Steven

        -----Original Message-----
        From: Cary, Kim [mailto:Kim.Cary () PEPPERDINE EDU] 
        Sent: Tuesday, February 01, 2005 8:05 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Preparing for Default Deny Firewall
        
        

        We will shortly be going to an default-deny firewall (inbound
only)
        here (8000 students 1000 staff, 7 campuses on a WAN).
        
        For those of you that have such a situation, I would appreciate
any
        tips you have for:
        1. Moving from block known bad to permit known good inbound
posture.
        2. Procedures you have to processing & approving exceptions for
new or
        changed services.
        
        For those of you that decided against this type of firewall, I
think
        our implementation would be informed of some things to look out
for by
        hearing from you about your issues that prevent you from going
to this
        position.
        
        We also are in receipt of a recommendation that states our
router ACLs
        should also be default deny. Any tips/comments on that
recommendation
        would be welcome as well.
        
        Kim Cary
        Infrastructure Security Administrator
        Pepperdine University
        310 506 6655
        
        **********
        Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.
        
        
______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security
System.
        For more information please visit
http://www.messagelabs.com/email
        
______________________________________________________________________
        


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: