Re: Internet ingress port-blocking

[Brian Helman <bhelman () SALEMSTATE EDU>]

Yeah, I guess I wasn't clear.  People are answering the wrong question.  I know how to secure the network.  I'm asking 
about generic blocking of traffic that either never needs to come in or should be considered suspicious because of its 
wide use for DDoS, independent of what services I provide.  

I have both  high-end routers in place and next gen firewalls.  This allows me to place a BGP-capable device at the 
border that is better capable of handling DDoS attacks without the load of service-specific policies.  The firewalls 
handle what you all are describing.   

Thanks,
Brian

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garrett 
Hildebrand
Sent: Thursday, August 17, 2017 12:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Internet ingress port-blocking

> We are reviewing the rulesets  on our ingress routers from the Internet.  I'd like to ask what general 
> ports/applications/services/etc are people blocking?  I'm not talking about specific DDoS hosts/subnets or the like, 
> just general practice (e.g blocking RFC 1918 addresses coming from the Internet).

We block all connections from off-campus by default. We have a web-based Server Registration tool that allows people to 
open ports on the border firewall for systems they are responsible for.

Here are the choices one gets in that tool:

*       This system does not need to be contacted from off campus. (No ports open.)

o       I am running Linux and want to use SSH to access my computer from off-campus. (Port 22 enabled.)

o       This system is a server. I run my own firewall or have taken other security precautions. (Warning, all ports 
will be open.)

o       I would like to specify which ports to open. (Advanced)

Garrett
-==-==-
G.D. Hildebrand              Senior IT Security Analyst
UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
tel.: 949-824-8913                   email: gdh () uci edu
Created new page 15 December 2016
My URL is http://about.me/garretthildebrand *Splunk - the Benihana of log-data slicing and dicing.*

Don't be a victim of phishing. Legitimate businesses don't ask you to send sensitive information through insecure 
channels. Learn more:
http://er.educause.edu/blogs/2016/3/april-dont-get-hooked
Handle passwords wisely: http://www.bbc.com/news/technology-37510501

Today (Thu, 17 Aug 2017) at 15:53 -0000 Brian Helman wrote:

> We are reviewing the rulesets  on our ingress routers from the Internet.  I'd like to ask what general 
> ports/applications/services/etc are people blocking?  I'm not talking about specific DDoS hosts/subnets or the like, 
> just general practice (e.g blocking RFC 1918 addresses coming from the Internet).
>
> Thanks,
> Brian
>
> (x-posting to the NETMAN list as well)
>
>
> ____________________________________
> Brian Helman, M.Ed |  Director, ITS/Networking Services | *: 
> 978.542.7272 Salem State University, 352 Lafayette St., Salem 
> Massachusetts 01970
> GPS: 42.502129, -70.894779