Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 13 May 2005 18:37:12 -0400
Valdis Kletnieks wrote:
Another way to look at it - do you still believe in the original "end-to-end" concept that made the Internet what it is,
Do I believe in it? Yes, in spite of the fact that it has made the Internet what it is today. ;) I also believe today's threat environment makes shutting down unnecessary communications channels prudent. If someone wants something, we can open it. In the meantime, the 90+% of the people that don't aren't exposed to, well, you know. It shifts the responsibility to the people who want to assume the additional risk rather than exposing those who don't. How many people still believe in end to end MSRPC/Netbios over the Internet? Or Oracle listener? The vendors' own documentation recommends against it. We've been operating in an inbound default deny mode more or less for the student networks since 2003 and for several populations of administrative desktop users for over a year with little or no problems. or are you about to go off into
the "Walled Garden" model of communications? And although "Walled Garden" may be acceptable at a corporation, how do you sell it politically at a university or college?
Well, first its not a "walled garden" model. Its more a "seek and ye shall receive" model as opposed to a "duck, you're about to receive" model. :) Such a model may be more important in an academic setting than in a corporate setting. It will help protect people who bring up "test" servers, "temporary" servers, student projects, labs, new computers, and esoteric applications. It will provide a safer environment in which to learn. When SANS starts reporting widespread scans for some weird port you don't all of a sudden find out about the two people on the network that were running a Veritas backup server or Oracle XML FTP server. Those dozens of postgres, mysql, ssh, remote desktop, WS-FTP, and VNC servers without need of Internet exposure aren't exposed. Of course, we have to assume that there will be a need for many exceptions and that there will be a *relatively* easy way for people to request and get those exceptions. The emphasis will be on ease of use rather than absolute security. If it can be abused, and if it is abused, and if we don't catch it, we're no worse off than with the present default permit policy. :) -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Scholz, Greg (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
(Thread continues...)