Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Mon, 16 May 2005 15:48:48 -0400
Joel Rosenblatt <joel () COLUMBIA EDU> writes:
This reminds me of a vendor that sells scanning software saying that we should not allow XP SP2 be installed so that they can scan ... it is a factual, but really dumb solution to the problem :-)
Unbelievable. While at it, why not leave guest accounts with ``guest'' password on all Unix systems so that the scanning software can, um, better examine the system? Are you at liberty to share the name of the vendor (perhaps privately)?
As for looking at what machines are doing, we have taken the approach that we don't really care WHAT you do, just HOW MUCH you do it. We have upload and download limits that are data agnostic (legitimate users can apply for an exemption). See <http://www.columbia.edu/cu/policy/bandwidth.html> for details. A side effect of this is that we become aware very quickly of machines that are scanning systems off of our network.
For what it's worth, I believe this to be the model approach to dealing with the problem of network capacity abuse. Implemented right, too! (Exceptions for local and Internet2 traffic.)
One thing we did do is implement a secure protocol initiative. All University (read central administration) servers will only accept connections using secure protocols (no tcp, ftp, clear text passwords, etc.) - we did this to cut down on password stealing. We are trying to push non central server to do the same thing.
Good idea.
The only ports that we are blocking at the edge are those that are used for windows file sharing - we decided to take the hit on this one, since there were so many people scanning for open shares it was beginning to affect our network - if you really have to share from the outside, you can do it through our VPN.
I think blocking specific ports in order to break specific well-defined applications is a fine practice. Block port 23 with the intent to get people off insecure telnet, and the easiest thing for them might be to switch to SSH -- which would be the point. (But the same block would have missed the point if the intent were to stop people from using remote login applications in general.) Some ports have to be blocked: printer-related ports are a good example, with network printers being hardware devices incapable of implementing proper access control. But blocking specific ports to break specific applications is a far cry from default-deny...
My 2 cents.
-- Stanislav Shalunov http://www.internet2.edu/~shalunov/ Just my 0.086g of Ag. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Gary Flynn (May 16)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
- Re: Inbound Default Deny Policy at Internet Border Davis, Thomas R. (May 17)
- Re: Inbound Default Deny Policy at Internet Border Mark Poepping (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeff Wolfe (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 18)