Re: Inbound Default Deny Policy at Internet Border

[Gary Flynn <flynngn () JMU EDU>]

Valdis Kletnieks wrote:

> Another way to look at it - do you still believe in the original "end-to-end"
> concept that made the Internet what it is,

Do I believe in it? Yes, in spite of the fact that
it has made the Internet what it is today. ;)

I also believe today's threat environment makes shutting
down unnecessary communications channels prudent. If
someone wants something, we can open it. In the meantime,
the 90+% of the people that don't aren't exposed to,
well, you know. It shifts the responsibility to the
people who want to assume the additional risk rather
than exposing those who don't.

How many people still believe in end to end MSRPC/Netbios
over the Internet? Or Oracle listener? The vendors'
own documentation recommends against it.

We've been operating in an inbound default deny mode
more or less for the student networks since 2003 and
for several populations of administrative desktop
users for over a year with little or no problems.

or are you about to go off into
> the "Walled Garden" model of communications?
>
> And although "Walled Garden" may be acceptable at a corporation, how do you
> sell it politically at a university or college?

Well, first its not a "walled garden" model. Its more a
"seek and ye shall receive" model as opposed to a "duck,
you're about to receive" model. :)

Such a model may be more important in an academic setting
than in a corporate setting.

It will help protect people who bring up "test" servers,
"temporary" servers, student projects, labs, new computers,
and esoteric applications. It will provide a safer
environment in which to learn.

When SANS starts reporting widespread scans for some weird
port you don't all of a sudden find out about the two
people on the network that were running a Veritas backup
server or Oracle XML FTP server.

Those dozens of postgres, mysql, ssh, remote desktop, WS-FTP,
and VNC servers without need of Internet exposure aren't
exposed.

Of course, we have to assume that there will be a need for
many exceptions and that there will be a *relatively*
easy way for people to request and get those exceptions.
The emphasis will be on ease of use rather than absolute
security. If it can be abused, and if it is abused, and if
we don't catch it, we're no worse off than with the present
default permit policy. :)


--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.