Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Mon, 16 May 2005 14:19:24 -0400
Gary Flynn <flynngn () JMU EDU> writes:
I'm not suggesting blocking connectivity for people that need it. I'm suggesting protecting people from connectivity that don't need it.
I gave an example of connectivity need. How would the connectivity be provided?
[...] Scans could come from within, especially in a university environment. What about a default ``deny'' policy in every Ethernet switch?Diminishing returns. At the border, I cut direct access from from 600 million people to 15 thousand.
I believe this is a fallacy. Most threats come from within even for commercial entities, and especially in a university environment, with lots of bored smart young people who like to tinker. (Not to mention the fact that default inbound deny in every node means not much communication -- what's outbound for you is inbound for the other end.)
your campus. What request would I need to make to get this thing to work to its full potential? (Keep in mind that I don't even know its IP address, which, I gather, it gets from DHCP.)Well, first, if its at your home, it wouldn't much matter.
A university campus ought to have a better connectivity than the average house. If something works at home and doesn't work on campus, things are seriously broken with the campus.
If its on campus, I'd hope that expecting someone to do a little more research or ask for support assistance before tying an unknown, development level device to both their university computer and university phone system on what may possibly be an administrative subnet would not be too much to ask with or without network access controls.
Why? The network is there to serve the users, and not the other way around, right? Ensuring security is not the most important thing (otherwise, you'd simply disconnect the network, as any place that needs serious security has done -- or rather, they never connected it). The device in question, with its proprietary embedded OS, is far less likely to realistically be a target of any attack than almost any general-purpose computer. The device, of course, is simply a convenient example of the kind of innovation the policy would cut off by being rigid and inflexible about the model of using the network. Those Jini-enabled thermometers for checking on your lab from home and while traveling? Won't work either (at least not trivially). If you have special subnets where connectivity needs to be crippled by design (for example, users there asked for it), by all means go ahead. Otherwise, the utility of the network is diminished to the point where users who need to do anything new will start dialing out/using external wireless.
The network access controls just protect the campus and university resources from just such an occurrence if someone decides they want to install a web/database/beta/anything server with insufficient knowledge and preparation.
Wouldn't it also be possible to scan for unexpected things and contact the owners?
The way I envision the system working is to have a web request system where a person can request opening inbound access for IP addresses they are registered as owning (we have a campus wide Perfigo system). Initially, changes would be manual but the process could be automated after we gain more experience.
That's better than not having the process, but reversing the default -- so that you need to ask to have your connectivity cut off would be even better. A compromise would be to tell users that the policy would be implemented a month in advance and let them opt out.
I don't envision an approval process although there may be some sanity checking and auditing to check for abuse. The process may also kick off an automated vulnerability scan before access is granted.
Vulnerability scans are a good idea, but why only give them to a subset of machines? Why not scan everything?
The person responsible for an IP address may also have access to network log entries associated with that address to help them determine if their problems are being caused by network access controls and what specific access is being attempted by the application in question. Some intelligent parsing of the data may make it more useful for unsophisticated users. It may be difficult because of the number of infection/probe attempts that show up in the logs but that may prove to be beneficial for security awareness. :)
I wonder if healthy average people were notified about each of the tens of millions of pathogenic microbes their skin carries (and kills) all the time, would they shut themselves into clean rooms and get on antibiotic treatments... Or would they simply be overloaded with information (00:00:00 Staphylococcus aureus (3k units) disabled on left pinky; 00:00:00 diphtheroids (10k units) found on nasal mucous membrane...clean-up complete; ...). -- Stanislav Shalunov http://www.internet2.edu/~shalunov/ This message is designed to be viewed at sea level. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 15)
- Re: Inbound Default Deny Policy at Internet Border Brawner, David (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
- Re: Inbound Default Deny Policy at Internet Border Davis, Thomas R. (May 17)
- Re: Inbound Default Deny Policy at Internet Border Mark Poepping (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeff Wolfe (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 18)