Educause Security Discussion mailing list archives

Re: Inbound Default Deny Policy at Internet Border

From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 16 May 2005 10:04:17 -0400

Michael Sinatra wrote:

Gary Flynn wrote:

We're looking at implementing a default deny
inbound policy at our Internet border this
summer.

Anyone have any concerns or experiences they
would like to share?



I don't really believe that a default-deny policy has a place at the
_border_ of a research university.  It may make sense at certain
administrative department boundaries (which gives you a smaller
vulnerability perimeter anyway) where there might be sensitive data.
But where the mission is research and innovation, I just can't accept
that we're doing anyone (even ourselves) a favor by blocking ports at
the border.


Out of curiosity, do you allow inbound MS-RPC and netbios at
your border? SNMP? I could probably scan and find out but
I'd imagine that would be considered bad manners. :)

  Between the number of exceptions that inevitably gets

requested and the general permeability of the physical boundaries of a
college campus, in the end the risk reduction of such a policy becomes
substantially weakened.


I acknowledge that a formal risk assessment may better tease
out the benefits and cost. But we can always go backwards if
we find the problems caused by the system are worse than
the problems we experienced without the system.

  I don't think such weak risk reduction trumps

the innovation-restricting and general inconvenience (equalling lost
productivity and increased costs) that such a policy imposes.


It wouldn't restrict innovation because the connectity would
be available for the asking. But that convenience vs security
thing would definitely be an issue.

  But I

recognize the diversity of institutions on this list, and encourage you
to think about how such a policy supports or clashes with your
institution's mission.


I'm hoping it will let people concentrate more on the mission
and less on having to deal with a high threat environment
all the time.

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)

(Thread continues...)