Re: Inbound Default Deny Policy at Internet Border

[stanislav shalunov <shalunov () INTERNET2 EDU>]

Gary Flynn <flynngn () JMU EDU> writes:

> I'm not suggesting blocking connectivity for people that
> need it. I'm suggesting protecting people from connectivity
> that don't need it.

I gave an example of connectivity need.  How would the connectivity be
provided?

> > [...] Scans could come from within, especially in
> > a university environment.  What about a default ``deny'' policy in
> > every Ethernet switch?
>
> Diminishing returns. At the border, I cut direct access from
> from 600 million people to 15 thousand.

I believe this is a fallacy.  Most threats come from within even for
commercial entities, and especially in a university environment, with
lots of bored smart young people who like to tinker.

(Not to mention the fact that default inbound deny in every node means
not much communication -- what's outbound for you is inbound for the
other end.)

> > your campus.  What request would I need to make to get this thing to
> > work to its full potential?  (Keep in mind that I don't even know its
> > IP address, which, I gather, it gets from DHCP.)
>
> Well, first, if its at your home, it wouldn't much matter.

A university campus ought to have a better connectivity than the
average house.  If something works at home and doesn't work on campus,
things are seriously broken with the campus.

> If its on campus, I'd hope that expecting someone to do a
> little more research or ask for support assistance before
> tying an unknown, development level device to both their
> university computer and university phone system on what
> may possibly be an administrative subnet would not be
> too much to ask with or without network access controls.

Why?  The network is there to serve the users, and not the other way
around, right?  Ensuring security is not the most important thing
(otherwise, you'd simply disconnect the network, as any place that
needs serious security has done -- or rather, they never connected
it).  The device in question, with its proprietary embedded OS, is far
less likely to realistically be a target of any attack than almost any
general-purpose computer.

The device, of course, is simply a convenient example of the kind of
innovation the policy would cut off by being rigid and inflexible
about the model of using the network.  Those Jini-enabled thermometers
for checking on your lab from home and while traveling?  Won't work
either (at least not trivially).

If you have special subnets where connectivity needs to be crippled by
design (for example, users there asked for it), by all means go ahead.
Otherwise, the utility of the network is diminished to the point where
users who need to do anything new will start dialing out/using
external wireless.

> The network access controls just protect the campus and university
> resources from just such an occurrence if someone decides they want
> to install a web/database/beta/anything server with insufficient
> knowledge and preparation.

Wouldn't it also be possible to scan for unexpected things and contact
the owners?

> The way I envision the system working is to have a web request
> system where a person can request opening inbound access for
> IP addresses they are registered as owning (we have a campus
> wide Perfigo system). Initially, changes would be manual but
> the process could be automated after we gain more experience.

That's better than not having the process, but reversing the default
-- so that you need to ask to have your connectivity cut off would be
even better.  A compromise would be to tell users that the policy
would be implemented a month in advance and let them opt out.

> I don't envision an approval process although there may be
> some sanity checking and auditing to check for abuse. The
> process may also kick off an automated vulnerability scan
> before access is granted.

Vulnerability scans are a good idea, but why only give them to a
subset of machines?  Why not scan everything?

> The person responsible for an IP address may also have access to
> network log entries associated with that address to help them
> determine if their problems are being caused by network access
> controls and what specific access is being attempted by the
> application in question.  Some intelligent parsing of the data may
> make it more useful for unsophisticated users. It may be difficult
> because of the number of infection/probe attempts that show up in
> the logs but that may prove to be beneficial for security
> awareness. :)

I wonder if healthy average people were notified about each of the
tens of millions of pathogenic microbes their skin carries (and kills)
all the time, would they shut themselves into clean rooms and get on
antibiotic treatments...  Or would they simply be overloaded with
information (00:00:00 Staphylococcus aureus (3k units) disabled on
left pinky; 00:00:00 diphtheroids (10k units) found on nasal mucous
membrane...clean-up complete; ...).

--
Stanislav Shalunov              http://www.internet2.edu/~shalunov/

This message is designed to be viewed at sea level.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.