Educause Security Discussion mailing list archives
Re: Inbound Default Deny Policy at Internet Border
From: Mark Borrie <mark.borrie () OTAGO AC NZ>
Date: Tue, 17 May 2005 09:00:48 +1200
On 16 May 2005 at 10:07, John Kristoff wrote:
On Mon, 16 May 2005 10:04:17 -0400 Gary Flynn <flynngn () JMU EDU> wrote:It wouldn't restrict innovation because the connectity would be available for the asking. But that convenience vs security thing would definitely be an issue.In the short term it will, but you're right in the long term it may not, but not because people will ask for connectivity. As one may remember when users wanted freedom from the glass house, PCs appeared. When users wanted remote connectivity to those PCs, modems appeared on the desktops. Something will develop so that users get 'freedom to connect' back. Maybe not fully realized for a decade or two, but my bet is that it's coming and I just hope I am around to see and take advantage of that innovation.
John is right in that some users will develop work rounds. That's part and parcel of the industry. I've never taken the approach, however, of not taking action simply because someone MIGHT circumvent things. 90% of users only require basic Internet access (web, mail and so on). Blocking of inbound traffic for these users takes no productivity away. Of the remaining users most only require access to well defined protocols. We have very few users who require something unusual. When rolling out a policy like this keep the users and admins well informed. Answer their questions and listen to their problems. If you keep them on side even ardent "you have no right to restrict me" researchers will be singing your praises. Trust me, I've experienced this. I say go for it and reap the benefits. Mark. -- Mark Borrie IT Security Officer, Information Technology Services, University of Otago, Dunedin, N.Z. Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Inbound Default Deny Policy at Internet Border, (continued)
- Re: Inbound Default Deny Policy at Internet Border Graham Toal (May 16)
- Re: Inbound Default Deny Policy at Internet Border John Kristoff (May 16)
- Re: Inbound Default Deny Policy at Internet Border Eric Pancer (May 16)
- Re: Inbound Default Deny Policy at Internet Border Cal Frye (May 16)
- Re: Inbound Default Deny Policy at Internet Border Michael Sinatra (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Valdis Kletnieks (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Joel Rosenblatt (May 16)
- Re: Inbound Default Deny Policy at Internet Border stanislav shalunov (May 16)
- Re: Inbound Default Deny Policy at Internet Border Mark Borrie (May 16)
- Re: Inbound Default Deny Policy at Internet Border Davis, Thomas R. (May 17)
- Re: Inbound Default Deny Policy at Internet Border Mark Poepping (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeff Wolfe (May 17)
- Re: Inbound Default Deny Policy at Internet Border Jeffrey I. Schiller (May 18)