[unisog] Access lists for dorms

Rob Becker rbecker at kcai.edu
Fri Dec 9 21:44:05 GMT 2005

I am in the process of migrating our dorm network to it's own subnet.
Once this is done I would like to put some access-lists in our routers
to restrict traffic to other subnets.  At this point, I am considering
limiting outgoing tcp 25 to only our mail server, limiting smb and afp
connectivity to only the student file server and explicitly allowing tcp
port 80 to a few webservers that students will need to access.  I would
like to also add some access lists that will keep our student traffic
out to the internet as clean as possible from a worms/viruses
standpoint.  Does anyone have suggestions as to ports that should be
blocked outgoing to minimize botnet and other malicious traffic?  I
realize that this traffic changes as new threats emerge, but I'm looking
for any low hanging fruit regarding traffic that should not leave our
network bound for the internet.  For the most part, we expect that our
students will be using their campus network connectivity for web
browsing, email and very little else.  We are an Art school and thus
have no Computer Science or Math students who would have need of more
open network connectivity.  Any suggestions, links to best practices
documentation, etc greatly appreciated.

More information about the unisog mailing list