Re: Inbound Default Deny Policy at Internet Border

[stanislav shalunov <shalunov () INTERNET2 EDU>]

Joel Rosenblatt <joel () COLUMBIA EDU> writes:

> This reminds me of a vendor that sells scanning software saying that
> we should not allow XP SP2 be installed so that they can scan ... it
> is a factual, but really dumb solution to the problem :-)

Unbelievable.  While at it, why not leave guest accounts with
``guest'' password on all Unix systems so that the scanning software
can, um, better examine the system?  Are you at liberty to share the
name of the vendor (perhaps privately)?

> As for looking at what machines are doing, we have taken the
> approach that we don't really care WHAT you do, just HOW MUCH you do
> it.  We have upload and download limits that are data agnostic
> (legitimate users can apply for an exemption).  See
> <http://www.columbia.edu/cu/policy/bandwidth.html> for details.  A
> side effect of this is that we become aware very quickly of machines
> that are scanning systems off of our network.

For what it's worth, I believe this to be the model approach to
dealing with the problem of network capacity abuse.  Implemented
right, too!  (Exceptions for local and Internet2 traffic.)

> One thing we did do is implement a secure protocol initiative.  All
> University (read central administration) servers will only accept
> connections using secure protocols (no tcp, ftp, clear text
> passwords, etc.) - we did this to cut down on password stealing. We
> are trying to push non central server to do the same thing.

Good idea.

> The only ports that we are blocking at the edge are those that are
> used for windows file sharing - we decided to take the hit on this
> one, since there were so many people scanning for open shares it was
> beginning to affect our network - if you really have to share from
> the outside, you can do it through our VPN.

I think blocking specific ports in order to break specific
well-defined applications is a fine practice.  Block port 23 with the
intent to get people off insecure telnet, and the easiest thing for
them might be to switch to SSH -- which would be the point.  (But the
same block would have missed the point if the intent were to stop
people from using remote login applications in general.)  Some ports
have to be blocked: printer-related ports are a good example, with
network printers being hardware devices incapable of implementing
proper access control.  But blocking specific ports to break specific
applications is a far cry from default-deny...

> My 2 cents.

--
Stanislav Shalunov              http://www.internet2.edu/~shalunov/

Just my 0.086g of Ag.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.