[Dshield] Secure computing (was: Port 135)
MarkC at mtbaker.wednet.edu
Mon Oct 28 16:14:19 GMT 2002
There is at least one EDU that uses a firewall to block malicious inbound
and outbound traffic. We're not perfect, but we do block between 400 and
800 "suspicious" packets per hour, every hour.
We are also diligent in applying patches, service packs and the like. When
our students (technology class) install servers they do it on a private
network, do not connect it to the main network, and if they need to test
Internet type access, they do it using a web server that they build and
populate with web pages.
I have had discussions with other EDUs about their machines scanning our web
server but many of them have simply told me they have no control. When I
tell them they can block outbound traffic with a firewall (they know this)
they respond that it is too difficult.
We have 740 client machines, 15 servers and 2500 users and we do all this
with just two of us on the Technology Services staff. Up-time is 99% or
better for servers and network. Viruses are non-existent using GroupShield
and E Policy Orchestrator, and we protect the border with a firewall.
If we can do it, so can others. Sure, we've had problems, but who hasn't?
IT management is not pretty sometimes.
I think I'm being normal.
From: David Kennedy CISSP [mailto:david.kennedy at acm.org]
Sent: Sunday, October 27, 2002 8:31 PM
To: list at dshield.org; list at dshield.org
Subject: Re: [Dshield] Secure computing (was: Port 135)
At 11:51 PM 10/26/02 +0200, Jan Johansson wrote:
>I will try to respond on all the comments that have been made.
<lots of stuff about AFS (good), Kerberos (good), and SSH (good)
You didn't really respond to comments regarding this from your
At 05:58 PM 10/25/02 +0200, Jan Johansson wrote:
>On Wed, Oct 16, 2002 at 10:17:05AM -0700, John Hardin wrote:
>>If they're accessing this through your firewall, your firewall is
>>misconfigured. I think that could be an effective argument against
>What firewall? And where should I point it with 10 000 students.
>Protect the Internet from me or me from the Internet. It is as
>much harm on either side anyway which makes it useless.
I for one would not object to your using a firewall to protect the
rest of us on the Internet from your university and it's students,
faculty and staff.
>>135:139 SHOULD NOT be permitted in from or out to the Internet.
>How should my students then be able to access their files from
>home? Mapping shares over the Internet works and is easy to
>use for the computer illiterate.
This part really got my attention and you have not addressed it.
Using all those technologies I've snipped from your message are good.
If you now want to dig yourself out of the hole you're in by saying
you do it by AFS, SSH or a Kerberized solution, simply explain why
did you respond in that way to John's "135:139" line?
>month we had zero(0) logins to our samba server from outside
>campus network. The goal is to turn of all SMB services within
is your only windows-ish file sharing, that's not 10 000 students
accessing their files from home; so why did you respond to John as
You make no mention of how you enforce any policies about Windows
drive sharing. And with no firewall, no mention by you of
default-deny router ACLing, the mention by you of 75 Unix boxes
without mentioning the gratuitous services many default installations
represent, the inference left is the weak security many of us have
come to accept and expect from the EDU community (granted an
over-simplification, but there you are).
Were it not for the dramatic increase of malicious traffic from worms
and East Asia, the EDU's would still be at or near the top of TLD's
originating attack traffic. The US President's Advisor for cyber
security has warned the EDU community here to act to secure their
systems and networks. Network managers (outside the EDU's) have
learned how to deny AS or IP blocks belonging to China and Korea to
cut the attack traffic from those countries. It won't be a stretch
to create an analogous list of AS's representing EDU's placing
priorities on academic freedom and money too far above
responsibilities to be good netizens.
>My solution to the Windows Messenger problem is to turn of the
You're doing this on your 300 Windows workstations, without blocking
135:139, how? And the clients your 10 000 students use, how? If
there's a way to do this that scales, I'd be interested to hear about
David Kennedy CISSP /"\
Director of Research Services, \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com X Against HTML Mail
Protect what you connect; / \
Look both ways before crossing the Net.
More information about the list