[c-nsp] Campus - Best Practices

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 28 12:04:29 EDT 2006 

Tim Franklin wrote:
>>   3. For pitys sake, block outbound 135-139, 445 and inbound default 
>> deny. Please, for the sake of the internet! Student residence 
>> networks 
>> are festering pools of botnets. Persuading the institute to 
>> buy a site 
>> license for a good AV scanner (if they don't have one) and 
>> mandating the 
>> students install it would not go amiss...
> 
> Yes, but... For the sake of the Internet as something other than next-gen
> TV, leave something in the process to allow for exceptions.  You *will* have

I should probably clarify here. I would MUCH rather run NO firewall at 
all. Sadly, market economics permit (indeed, encourage) vendors to 
repeatedly sell insecure software, and there is not currently in society 
a culture of responsibility about maintaining the IT equipment you own.

I have no intention of allowing the media companies to demolish 
end-to-end internet.

> 900-plus pr0n+w4r3z gimps, but you might have 10 or 20 genuine computing
> and/or networking geeks who have the reason and the competency to have
> certain inbound connections.  I'm not suggesting a 'click here to enable'
> for every monkey who wants to upload torrents to improve their ratio, but at
> the other end something short of requiring Papal dispensation.  (That's
> entirely for the inbound, of course - no-one in their right mind should be
> asking for outbound CIFS!)

Thanks for the advice. We have been doing this for a *few* years :o)

Surprisingly few of the computing people have asked for stuff. We have 
one guy running a small beowulf who has dispensation from the minihub 
ban, and there is currently unrestricted access from the residences to 
the main academic network which allows them to do a lot of the more 
useful things.

Assuming the shoddy^Wexperimental firmware for the 3750 works, we want 
to offer them ipv6 as well - so we're not totally blind to the techie needs!

> 
> Oh, and make sure that any software you mandate (AV, .1x client, etc) is
> available cross-platform.

People who choose to run platforms that are secure by default (e.g. 
modern well-configured linux distributions, MacOS X to an extent) are 
exempt from jumping through the hoops :o)

More information about the cisco-nsp mailing list