[unisog] Blocking Windows Networking at the Border?

Patrick Aland paland at stetson.edu
Tue Apr 23 15:49:37 GMT 2002


We block everything inbound except what is explicitly allowed.

We do this for a number of reasons: open windows shares, students
running webservers, student running ftp sites, etc.

We try to be as open as possible so if an application requires a certain
port open inbound we try and accomodate, if it requires all ports open
inbound than we have to draw a line somewhere. 

This decission was made probably 5 years ago and we really don't hear
many complaints. Generally only the few that want to run webservers from
their dorms.


On Thu, Apr 18, 2002 at 02:04:46PM -0400, Phil.Rodrigues at uconn.edu wrote:
> Hi,
> 
> The University of Connecticut experienced all the fun Windows hacks of the 
> last few weeks that everyone else did ("Got Warez?" XDCC bots, 
> W32Time/FluxaySensor Trojan/Password crackers, MIRC-DOS scripts), all 
> pretty much as a result of allowing Windows Networking across our Internet 
> link.  With 8,500 students and a few thousand staff computers on the 
> network *someone* will have a weak share.
> 
> We have been considering blocking ports 135-139/445 at the routers for a 
> few weeks now for privacy issues (the assumption that things shared on the 
> "local network" are only accessible by other University computers) and 
> after all of this we are considering it for security reasons as well.  We 
> have never blocked anything before, and none of us really wants to start 
> down this slippery slope, but user education about open shares and strong 
> passwords only seems so effective.
> 
> What are other schools doing to combat these types of problems?  Are many 
> of you blocking Windows Networking at the border?  Do those that choose 
> not to block it have compelling reasons to keep it open, or do you leave 
> it open because "it has always been that way"?
> 
> Thanks for your input, and shoot me a private reply if you prefer.
> 
> Phil
> 
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> 
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> =======================================

-- 
------------------------------------------------------------
 Patrick Aland                          paland at stetson.edu
 Network Administrator                  Voice: 386.822.7217
 Stetson University                     Fax: 386.822.7367
------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020423/2ddc6725/attachment-0007.bin


More information about the unisog mailing list