[Dshield] RE: Port 135 - fork to edu security

Kenton Smith ksmith at chartwelltechnology.com
Fri Oct 25 20:53:44 GMT 2002


<snip>
What firewall? And where should I point it with 10 000 students.
<snip>

Having done some work for post-secondary institutions, I know that
security and restrictions are bad words in those places. Security only
works if it works within the policies and in cooperation with the user
base. If you need to have these kinds of freedoms for your users than
you have weighed the risks and decided that it is worth those risks in
order to have that freedom. However; having said that, it means that you
have to be willing to deal with the consequences. If that means port 135
spam, then that's a choice that has been made. This is fairly basic
security justification stuff.
I do think though, it is high time Universities and Colleges started to
do their share in keeping the garbage off the Internet. I see many
instances in my logs of port scans and worms that are coming from .EDU
domains. If these institutions started to put even basic packet
filtering in place they could prevent a whole bunch of nuisance traffic.

<snip>
How should my students then be able to access their files from
home? Mapping shares over the Internet works and is easy to
use for the computer illiterate.
<snip>

There are lots of companies in the world that have 10k employees and
they don't leave their networks unguarded. Yes it costs money, but maybe
it's time for some money to be spent on this. Chalk it up to teaching
the students what remote computing is like in the corporate world.

I don't mean to sound unsympathetic to the unique issues faced by admins
in these institutions. However if the school decides that no security is
in the best interest of the users, then everyone will have to deal with
the consequences.

Kenton Smith





More information about the list mailing list