[Dshield] firewalls & high schools.
Johannes B. Ullrich
jullrich at sans.org
Sat Aug 16 18:29:47 GMT 2003
This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 2003-08-16 at 14:06, Lawrence Engleman wrote:
> Jeff Kell wrote:
> > Firewalling internal networks can be tricky at best *if* you are really
> > doing Microsoft file sharing, Samba, CIFS, etc. It hits you where it
> > hurts and you can't necessarily block it (no more than you can block
> > http for IIS or Apache weaknesses, it's self-defeating).
Tricky: yes. But it can be very necessary (and maybe some of the things
that will break should not have done in the first place).
A regular high school may want to define these segments:
- Administrative Network: Thats where student records are kept. Probably
the most critical part of the network. Should not allow any connections
from the outside
- "DMZ" (public servers): Web servers, Mail servers.
Accessible from all networks on a limited number of ports.
- "Classrooms": no access from the outside ("internet") and limited
access to the outside, maybe a proxy?
- "Public": things like wireless, random ethernet jacks in public
locations of the school. But this may fall into 'classrooms'.
Anyway. Something like that could protect critical systems during a
random virus/worm outbreak. You may even setup each classroom as its own
zone (I guess a VLAN would do in this case). But I hope schools do not
use windows file sharing to allow teachers access to confidential
student files while they use a wireless connection from a classroom. (I
hope... but I am afraid thats exactly whats happening)
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
2uC6/TDAd/yrRrH3IpXga/k-----END PGP SIGNATURE-----
More information about the list