Educause Security Discussion mailing list archives

Re: Outbound SMTP

From: "Scholz, Greg" <gscholz () KEENE EDU>
Date: Fri, 25 Apr 2008 17:14:13 -0400

Any notion that a person needing access should just have it violates the
idea that if they know they need it they must have at least a basic
knowledge of what "it" is.

I don't think I want a researcher (or whomever) that doesn't understand
that they need port 25 open to have the ability to create an accessible
application and run it on our network - sounds like they would need to
do more research first :-)

How to determine if the network user has the competence to have such
power...if they know they have to protect/secure their servers port 25
activity, means they know that port 25 is a risk, means they know that
they need port 25, which means they understand network communication
protocols...so why not just know they have to ask/state "I need port X
open for my research"? (I sure hope our students are being prepared for
the "real world" because believe it or not, most companies have these
types of controls - in my experience)

We have a default deny inbound and misc ports blocked outbound
(including 25). We also have a "firewall rule request form".
We have very little research activities on this campus and work very
closely with departments doing any type of IT
program/research/project/etc.

My .02

Greg


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Van Norman
Sent: Friday, April 25, 2008 1:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Outbound SMTP

This brings me to one of my concerns.  Why do we have to engineer our
entire networks in one fashion?  How about a research network, where
port 25 was open, and an administrative network where it's not?  If
every time I say lets do X, you respond with but so and so needs X,
we make no progress.  How about we do X, where practical, and still
allow so and so the use of an open network?  If network security
is going to make significant strides we need to quit catering
to the least common denominator.


I agree wholeheartedly that we shouldn't cater to the least common 
denominator.  However, today the leanings seem to be break the network 
first, and then open things up when there is a justification.  This puts

the burden on legitimate users of the network to justify their use and 
get permission because a few users/devices cause trouble.  Just my 
opinion, but people tend to innovate less when you put up barriers to 
innovation.  Making somebody get permission before trying something new 
is a barrier (no matter how low you try to make it).

/Mike

Current thread:

Re: Outbound SMTP, (continued)
- Re: Outbound SMTP ken lindahl (Apr 25)
- Re: Outbound SMTP Don Nightingale (Apr 25)
- Re: Outbound SMTP Michael Van Norman (Apr 25)
- Re: Outbound SMTP Michael Sinatra (Apr 25)
- Re: Outbound SMTP Joel Rosenblatt (Apr 25)
- Re: Outbound SMTP Basgen, Brian (Apr 25)
- Re: Outbound SMTP Jason S. Cash (Apr 25)
- Re: Outbound SMTP Michael Sinatra (Apr 25)
- Re: Outbound SMTP Michael Sinatra (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
- Re: Outbound SMTP Scholz, Greg (Apr 25)
- Re: Outbound SMTP Halliday,Paul (Apr 25)
- Re: Outbound SMTP John Kristoff (Apr 28)
- Re: Outbound SMTP Tim Cantin (Apr 28)
- Re: Outbound SMTP Mike Porter (Apr 28)
- Re: Outbound SMTP Valdis Kletnieks (May 05)