Educause Security Discussion mailing list archives

Re: Internet ingress port-blocking

From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Thu, 17 Aug 2017 17:50:53 +0000

Sure, that's Security 101, but I'm looking to understand the generic ruleset for traffic that shouldn't enter anyone's 
network .. not mine specifically.   Again, e.g, blocking RFC 1918 addresses.  I'm not looking to secure my services at 
this point, that is done elsewhere on my network.  At this point of access, I'm looking to control unwanted/generally 
malicious traffic. 

Thanks,
Brian

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Velislav 
K Pavlov
Sent: Thursday, August 17, 2017 12:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Internet ingress port-blocking

Map your external attack surface. Figure out what is visible (asset, header, service/port). Break out the visible 
assets by what you (IT/Sec) manage and don't manage. Start with cleaning up what you manage and have control over. Move 
to what you don't manage. Communicate with the appropriate parties and make them part of the solution. Show them 
reports and your findings. Maybe users/admins don't know what is exposed and visible. Limiting your attack surface will 
reduce the network noise. Once you cleaned up, G.D. registration process is a neat way to be proactive. 

Vel Pavlov | Coordinator, IT Security 
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, 
Security+, CNA, MPCS, ITILv3F, A+ 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garrett 
Hildebrand
Sent: Thursday, August 17, 2017 12:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Internet ingress port-blocking

**Notice** This message is from a sender outside of the Ferris Office 365 mail system. Use caution when clicking links 
or opening attachments. For assistance determining if this email is safe, please contact TAC.
________________________________

We are reviewing the rulesets  on our ingress routers from the Internet.  I'd like to ask what general 
ports/applications/services/etc are people blocking?  I'm not talking about specific DDoS hosts/subnets or the like, 
just general practice (e.g blocking RFC 1918 addresses coming from the Internet).


We block all connections from off-campus by default. We have a web-based Server Registration tool that allows people to 
open ports on the border firewall for systems they are responsible for.

Here are the choices one gets in that tool:

*       This system does not need to be contacted from off campus. (No ports open.)

o       I am running Linux and want to use SSH to access my computer from off-campus. (Port 22 enabled.)

o       This system is a server. I run my own firewall or have taken other security precautions. (Warning, all ports 
will be open.)

o       I would like to specify which ports to open. (Advanced)

Garrett
-==-==-
G.D. Hildebrand              Senior IT Security Analyst
UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
tel.: 949-824-8913                   email: gdh () uci edu
Created new page 15 December 2016

Don't be a victim of phishing. Legitimate businesses don't ask you to send sensitive information through insecure 
channels. Learn more:
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fer.educause.edu%2Fblogs%2F2016%2F3%2Fapril-dont-get-hooked&data=02%7C01%7CVelislavPavlov%40ferris.edu%7C60b0715af7ea419926c708d4e58bfc8c%7C64b0362e85c04e95a4ce5651d96cb739%7C1%7C0%7C636385836785274467&sdata=Ljat4%2Fysr479UhjyzILvZU3%2FqONZN5LWgpfXFQMEdcI%3D&reserved=0
Handle passwords wisely: 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bbc.com%2Fnews%2Ftechnology-37510501&data=02%7C01%7CVelislavPavlov%40ferris.edu%7C60b0715af7ea419926c708d4e58bfc8c%7C64b0362e85c04e95a4ce5651d96cb739%7C1%7C0%7C636385836785274467&sdata=ToI3CmZegh0TUvTcvkYr1FYLxAKaqbpbwxOhho1xbxA%3D&reserved=0

Today (Thu, 17 Aug 2017) at 15:53 -0000 Brian Helman wrote:

We are reviewing the rulesets  on our ingress routers from the Internet.  I'd like to ask what general 
ports/applications/services/etc are people blocking?  I'm not talking about specific DDoS hosts/subnets or the like, 
just general practice (e.g blocking RFC 1918 addresses coming from the Internet).

Thanks,
Brian

(x-posting to the NETMAN list as well)


____________________________________
Brian Helman, M.Ed |  Director, ITS/Networking Services | *: 
978.542.7272 Salem State University, 352 Lafayette St., Salem 
Massachusetts 01970
GPS: 42.502129, -70.894779

Current thread:

Internet ingress port-blocking Brian Helman (Aug 17)
- Re: Internet ingress port-blocking Garrett Hildebrand (Aug 17)
  - Re: Internet ingress port-blocking Velislav K Pavlov (Aug 17)
    - Re: Internet ingress port-blocking Brian Helman (Aug 17)
    - Re: Internet ingress port-blocking Andy Hooper (Aug 18)
  - Re: Internet ingress port-blocking Brian Helman (Aug 17)
  - Message not available
    - Re: Internet ingress port-blocking John Kristoff (Aug 17)
- Re: Internet ingress port-blocking Brian Epstein (Aug 17)
- <Possible follow-ups>
- Re: Internet ingress port-blocking Joseph Tam (Aug 18)