[unisog] Appropriate University/Internet blocks

Daniel Adinolfi dra1 at cornell.edu
Wed Jun 16 16:03:42 GMT 2004


On Jun 16, 2004, at 10:20, Tom Conley wrote:

> Specifically, what ports or packets are y'all (other universities) 
> currently blocking?  Do you have router configurations that you can 
> share? Do you use an IP blacklist?  Are the "blacklist" and "ports 
> list" permanent or do the blocks "time out" automatically?  How do you 
> manage all this?
>

Cornell University uses packet filtering at a few different levels.

Campus-wide, we have very few port-based blocks in place.  The culture 
and technical reality of our core network is such that wholesale 
blocking of ports is only recently becoming acceptable under 
extraordinary conditions.  Also, if we were to block something like 
Windows Networking without offering an alternative to satisfy that 
functionality, we would have some serious problems from our customers.

We use campus-wide blocks at our border to respond to large-scale 
incidents only (in addition to the normal anti-spoofing filters that 
EVERYONE should have on their border).  More specific packet-filtering 
is performed at our network edge on a departmental basis.  Our Edge ACL 
service allows local support providers to create ACLs on our Cisco 
routers for their own subnets.  This way, we do not need to worry about 
creating a universal ruleset.  We push the rules down to the edge and 
satisfy individual departmental requirements.  So far, our service has 
been very successful in the year we have been offering it.  Over a 
quarter of our campus subnets have some kind of Edge ACL assigned to 
it.

This two-pronged approach, border blocks for incident response and Edge 
ACLs for departmental protection, is working well for us technically, 
administratively, and socially.  For more info on our Edge ACL service, 
check out:

<http://www.cit.cornell.edu/computer/security/edgeacls/>.

We also encourage local support providers to configure personal 
firewalls on individual systems where practical.  Some departments run 
their own hardware firewalls, and we work with them to create a good 
ruleset and compliment that firewall with our Edge ACLs on that same 
subnet (the "belt and suspenders" model).  Also, we have RFC 1918 IP 
space that will route on-campus but not off-campus, allowing local 
support providers to remove the possibility of off-campus traffic to 
connect to those systems while still allowing any campus subnet to 
connect to those systems (which is very handy for printers).

Our philosophy is to allow the requirements of our users to drive any 
packet filtering solution.  Pushing specific rulesets closer to the 
protected objects allows you to tailor those rulesets more accurately, 
creating less disruption and more security for individual users, 
systems, and data sources.

So, to answer your specific question, each department has the ability 
to decide what should and shouldn't be blocked to their subnets.  
Campus-wide, only anti-spoofing and routing filters are mandatory, with 
the exception of specific incident-related ports.

Good luck.

-Dan
_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 at cornell.edu   phone: 607-255-7657




More information about the unisog mailing list