Educause Security Discussion mailing list archives
Re: Internet ingress port-blocking
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Thu, 17 Aug 2017 17:45:43 +0000
Yeah, I guess I wasn't clear. People are answering the wrong question. I know how to secure the network. I'm asking about generic blocking of traffic that either never needs to come in or should be considered suspicious because of its wide use for DDoS, independent of what services I provide. I have both high-end routers in place and next gen firewalls. This allows me to place a BGP-capable device at the border that is better capable of handling DDoS attacks without the load of service-specific policies. The firewalls handle what you all are describing. Thanks, Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garrett Hildebrand Sent: Thursday, August 17, 2017 12:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Internet ingress port-blocking
We are reviewing the rulesets on our ingress routers from the Internet. I'd like to ask what general ports/applications/services/etc are people blocking? I'm not talking about specific DDoS hosts/subnets or the like, just general practice (e.g blocking RFC 1918 addresses coming from the Internet).
We block all connections from off-campus by default. We have a web-based Server Registration tool that allows people to open ports on the border firewall for systems they are responsible for. Here are the choices one gets in that tool: * This system does not need to be contacted from off campus. (No ports open.) o I am running Linux and want to use SSH to access my computer from off-campus. (Port 22 enabled.) o This system is a server. I run my own firewall or have taken other security precautions. (Warning, all ports will be open.) o I would like to specify which ports to open. (Advanced) Garrett -==-==- G.D. Hildebrand Senior IT Security Analyst UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175 tel.: 949-824-8913 email: gdh () uci edu Created new page 15 December 2016 My URL is http://about.me/garretthildebrand *Splunk - the Benihana of log-data slicing and dicing.* Don't be a victim of phishing. Legitimate businesses don't ask you to send sensitive information through insecure channels. Learn more: http://er.educause.edu/blogs/2016/3/april-dont-get-hooked Handle passwords wisely: http://www.bbc.com/news/technology-37510501 Today (Thu, 17 Aug 2017) at 15:53 -0000 Brian Helman wrote:
We are reviewing the rulesets on our ingress routers from the Internet. I'd like to ask what general ports/applications/services/etc are people blocking? I'm not talking about specific DDoS hosts/subnets or the like, just general practice (e.g blocking RFC 1918 addresses coming from the Internet). Thanks, Brian (x-posting to the NETMAN list as well) ____________________________________ Brian Helman, M.Ed | Director, ITS/Networking Services | *: 978.542.7272 Salem State University, 352 Lafayette St., Salem Massachusetts 01970 GPS: 42.502129, -70.894779
Current thread:
- Internet ingress port-blocking Brian Helman (Aug 17)
- Re: Internet ingress port-blocking Garrett Hildebrand (Aug 17)
- Re: Internet ingress port-blocking Velislav K Pavlov (Aug 17)
- Re: Internet ingress port-blocking Brian Helman (Aug 17)
- Re: Internet ingress port-blocking Andy Hooper (Aug 18)
- Re: Internet ingress port-blocking Velislav K Pavlov (Aug 17)
- Re: Internet ingress port-blocking Brian Helman (Aug 17)
- Message not available
- Re: Internet ingress port-blocking John Kristoff (Aug 17)
- Re: Internet ingress port-blocking Garrett Hildebrand (Aug 17)
- <Possible follow-ups>
- Re: Internet ingress port-blocking Joseph Tam (Aug 18)