Educause Security Discussion mailing list archives

Re: Inbound Default Deny Policy at Internet Border

From: Mark Borrie <mark.borrie () OTAGO AC NZ>
Date: Tue, 17 May 2005 09:00:48 +1200

On 16 May 2005 at 10:07, John Kristoff wrote:

On Mon, 16 May 2005 10:04:17 -0400
Gary Flynn <flynngn () JMU EDU> wrote:

It wouldn't restrict innovation because the connectity would
be available for the asking. But that convenience vs security
thing would definitely be an issue.


In the short term it will, but you're right in the long term it may
not, but not because people will ask for connectivity.  As one may
remember when users wanted freedom from the glass house, PCs appeared.
When users wanted remote connectivity to those PCs, modems appeared
on the desktops.

Something will develop so that users get 'freedom to connect' back.
Maybe not fully realized for a decade or two, but my bet is that it's
coming and I just hope I am around to see and take advantage of that
innovation.


John is right in that some users will develop work rounds. That's part
and parcel of the industry. I've never taken the approach, however, of
not taking action simply because someone MIGHT circumvent things.

90% of users only require basic Internet access (web, mail and so
on).  Blocking of inbound traffic for these users takes no productivity
away. Of the remaining users most only require access to well
defined protocols. We have very few users who require something
unusual.

When rolling out a policy like this keep the users and admins well
informed.  Answer their questions and listen to their problems. If you
keep them on side even ardent "you have no right to restrict me"
researchers will be singing your praises. Trust me, I've experienced
this.

I say go for it and reap the benefits.

Mark.
--
Mark Borrie
IT Security Officer,
Information Technology Services, University of Otago,
Dunedin, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
- Re: Inbound Default Deny Policy at Internet Border Davis, Thomas R. (May 17)
- Re: Inbound Default Deny Policy at Internet Border Mark Poepping (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeff Wolfe (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 18)