Educause Security Discussion mailing list archives

Re: Inbound Default Deny Policy at Internet Border (fwd)

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Mon, 16 May 2005 23:08:19 -0400

Hi,

This was supposed to go to the list, not just me.

Joel

------------ Forwarded Message ------------
Date: Monday, May 16, 2005 3:54 PM -0400
From: marchany () vt edu
To: Joel Rosenblatt <joel () columbia edu>
Subject: Re: [SECURITY] Inbound Default Deny Policy at Internet Border

My .02 worth.

1. The mission of the University is to create an environment where
information  can be exchanged freely.

2. Deny/All at the border is a short term solution that will cause added
paperwork whenever someone wants to do some work that requires a mod to
this  ACL. How long will it take to get an exception? How long does the
exception  last? Who's authorized to deny/grant the exception? what's the
due process?  etc.

3. Deny/All places no responsibility on the end user. It send the message
that  "we" will take the brunt of your bad practices. There is no incentive
for the  user to change their habits.

4. It doesn't do much for internal attacks.

Possible solutions:

1. create a DENY/Small-subset at the border. Things like inbound 445, 137-9.

2. create a default DENY/ALL for all HOST based firewalls. Let the user
open  up what's needed. Block pings here if you want. If commercial
vulnerability  scanners can't scan because of ping blocks, then most of the
other bad boy  scanners won't either (yeah, I know, good hackers can find
you). If everyone  blocks pings, the machines that don't are the ones you
want to take a closer  look and they're easy to find.

3. If a user opens up everything, they'll get hit and hopefully, everyone
else  will be protected by their default FW rules. The victim's behavior
will be  modified after a couple of reinstalls.

4. There is no need for creating more paperwork for exception handling.
responsibility is where it needs to be ---- at the end user.

As IT people, we forget that we are managing "staplers, typewriters,
calculators" for real-world people. Dangerous office equipment, mind you,
but  office equipment to the real world, nonetheless. The more we interfere
with  the business, the more the business will try to circumvent and that,
in the  long run, is more dangerous. Why? Because now you have an
environment where  the outside world (hackers) are trying to set up covert
channels and the users  are trying to set up covert channels to get around
your restrictions.

       -r.

---------- End Forwarded Message ----------

Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Inbound Default Deny Policy at Internet Border (fwd) Joel Rosenblatt (May 16)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border (fwd) Jon E. Mitchiner (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Willis Marti (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Scholz, Greg (May 17)
- Re: Inbound Default Deny Policy at Internet Border (fwd) Valdis Kletnieks (May 17)