Educause Security Discussion mailing list archives
Firewalls and all that (was Re: SECURITY Digest - 23 Sep 2005 to 26 Sep 2005 (#2005-176)
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 28 Sep 2005 14:08:03 -0400
On Wed, 28 Sep 2005 09:21:27 EDT, "Scholz, Greg" said:
Unless I am missing the point somewhere, wouldn't a "default deny" inbound help to alleviate this?
Last I looked, it was mostly .edu's here. Maybe you've got a different environment there where you can politically get away with cramming a "default deny" down the user's throats, but a lot of us have to act more like ISPs than like corporations. Another potential land mine is whether, by conducting aggressive filtering to block X, Y, and Z, you become liable if you happen to let something slip through by accident (although this is more an issue regarding copyright violations and porn-spam-causing-a-hostile-workplace and similar scenarios). I'd not want to be the poster child for *that* case. ;)
Not to push us to a political discussion but someone else mentioned ...
That was me..
"until we get to the point of only allowing ports 80 and 443"...that is pretty much default deny in my book.
Right. And having denied everything but 80/443, how do you deal with the fact that you now have to do deep packet inspection, and possibly nasty MITM tricks, to sort out "real" HTTP/HTTPS versus "something layered on it, possibly even with an XML encapsulation, just because that port is open"?
I am spending much of my time on campus discussing what default inbound deny really means to gain support and as I gain that support, protecting the areas that I can. So far I find that most faculty and staff are shocked when I explain to them in non-technical terms what a default permit allows (the bad stuff) and what a default deny could protect them from. So far I have had solid support on a dept by dept basis.
Do you also make clear that "default deny" means that they have to come and beg permission each time they want to use a new application/protocol that isn't on your "approved" list, and that it makes you, not them, the ultimate authority on what they can do with their own machines? (This gets particularly hairy if you have resident students on campus, who have machines that are not owned by the institution). Also, remember that it only takes one important and/or vocal department chair yelling "But you never told us *THAT* part!" to make life really challenging from that moment on.
Attachment:
_bin
Description:
Current thread:
- Firewalls and all that (was Re: SECURITY Digest - 23 Sep 2005 to 26 Sep 2005 (#2005-176) Valdis Kletnieks (Sep 28)