Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Sun, 15 May 2005 21:01:15 -0400
Gary Flynn <flynngn () JMU EDU> writes:
We're looking at implementing a default deny inbound policy at our Internet border this summer.
As long as it isn't called ``Internet'' border, but rather ``Web and Email'' border, that's a fine policy. If the campus is to run advanced applications, it needs Internet connectivity. Why stop with the policy at the border? Scans could come from within, especially in a university environment. What about a default ``deny'' policy in every Ethernet switch? The day before yesterday, I got this little hardware VoIP/POTS combination thingie, which I'm going to try at home. I'm not sure how it works. I'm not sure how to read the serial number, but it's possible that fewer than 100 units [sic!] of these were sold so far. It's a very early stage device. Development is ongoing. The manual that came with it tells me how to plug it in, but it's really zero configuration. It claims it will even somehow determine my phone number (I guess it might call some 800 number, have ANI determine the number, and transmit it back on the line, but I'm just guessing). I have no faintest clue which protocols it supports, let alone which port numbers it is going to use. I assume these aren't static, as the thingie can reprogram itself with a new flash (one of the few things the manual does tell you is how to tell it's writing flash -- and how it's important to avoid unplugging it at that time). Anyone with the same kind of thingie can dial my (normal) number and, by magic, they would connect to me over IP. It also interconnects with a few established VoIP networks. By default, calls go over POTS. (You can also order service for it, but that requires paying something extra regularly, of course; in its default config, it uses no resources of the company that sells it -- other than directory services -- and is ``free'' to use.) At home, I'm going to just plug it into Ethernet, power outlet, phone line, and attach a handset. Suppose I were at your campus. What request would I need to make to get this thing to work to its full potential? (Keep in mind that I don't even know its IP address, which, I gather, it gets from DHCP.) -- Stanislav Shalunov http://www.internet2.edu/~shalunov/ Just my 0.086g of Ag. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- <Possible follow-ups>
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Scholz, Greg (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Adinolfi (May 13)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 13)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 13)
- Re: Inbound Default Deny Policy at Internet Border Daniel Medina (May 13)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 15)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 15)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
(Thread continues...)