[c-nsp] Campus - Best Practices
Tim Franklin
tim at colt.net
Wed Jun 28 07:31:51 EDT 2006
> 3. For pitys sake, block outbound 135-139, 445 and inbound default
> deny. Please, for the sake of the internet! Student residence
> networks
> are festering pools of botnets. Persuading the institute to
> buy a site
> license for a good AV scanner (if they don't have one) and
> mandating the
> students install it would not go amiss...
Yes, but... For the sake of the Internet as something other than next-gen
TV, leave something in the process to allow for exceptions. You *will* have
900-plus pr0n+w4r3z gimps, but you might have 10 or 20 genuine computing
and/or networking geeks who have the reason and the competency to have
certain inbound connections. I'm not suggesting a 'click here to enable'
for every monkey who wants to upload torrents to improve their ratio, but at
the other end something short of requiring Papal dispensation. (That's
entirely for the inbound, of course - no-one in their right mind should be
asking for outbound CIFS!)
Oh, and make sure that any software you mandate (AV, .1x client, etc) is
available cross-platform.
Regards,
Tim.
--
____________ Tim Franklin e: tim at colt.net
\C/\O/\L/\T/ Product Engineering Manager w: www.colt.net
V V V V Managed Data Services t: +44 20 7863 5714
Data | Voice | Managed Services f: +44 20 7863 5876
More information about the cisco-nsp
mailing list