[Dshield] firewalls & high schools.

Johannes B. Ullrich jullrich at sans.org
Sat Aug 16 18:29:47 GMT 2003

This message was converted from multipart/signed to ascii armored
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, 2003-08-16 at 14:06, Lawrence Engleman wrote:
> Jeff Kell wrote:
> > Firewalling internal networks can be tricky at best *if* you are really 
> > doing Microsoft file sharing, Samba, CIFS, etc.  It hits you where it 
> > hurts and you can't necessarily block it (no more than you can block 
> > http for IIS or Apache weaknesses, it's self-defeating).

Tricky: yes. But it can be very necessary (and maybe some of the things
that will break should not have done in the first place). 

A regular high school may want to define these segments:

- Administrative Network: Thats where student records are kept. Probably
the most critical part of the network. Should not allow any connections
from the outside

- "DMZ" (public servers): Web servers, Mail servers.
Accessible from all networks on a limited number of ports.

- "Classrooms": no access from the outside ("internet") and limited
access to the outside, maybe a proxy?

- "Public": things like wireless, random ethernet jacks in public
locations of the school. But this may fall into 'classrooms'.

Anyway. Something like that could protect critical systems during a
random virus/worm outbreak. You may even setup each classroom as its own
zone (I guess a VLAN would do in this case). But I hope schools do not
use windows file sharing to allow teachers access to confidential
student files while they use a wireless connection from a classroom. (I
hope... but I am afraid thats exactly whats happening)

SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt

Version: GnuPG v1.2.1 (GNU/Linux)

2uC6/TDAd/yrRrH3IpXga/k-----END PGP SIGNATURE-----


More information about the list mailing list