[unisog] Access lists for dorms

Donal Lynch donal at yorku.ca
Fri Dec 9 23:15:26 GMT 2005

This list is by no means complete, and you'll have to
customize/modify to suit your specific needs, but IMHO this is a
good starting point.

The following would be an outbound ACL on the router (in order):

- allow traffic from the machines you'll be using to vulnerability
scan your resnet user's computers.

- depending on how you handle resnet registration you may need to
allow access to that service(s)

- explicitly deny all the usual MS filesharing/rpc ports and any
other ports you may be really worried about.

- permit udp traffic to/from your DNS/DHCP servers

- permit or deny icmp (depending on your needs, feelings or
infosec policy)

- explicitly permit anything outbound to your users below 1024 that
you feel is necessary or useful.

- permit tcp and udp greater than 1024

- permit tcp any any established

- Deny everything else.

The above is a compromise between security, and still giving the
students access to a service that they will consider usable.  It's
also designed to limit the number of "application X doesn't work"
calls to the helpdesk.  The real key in the above the list of things
you explicitly deny and the list of things below 1024 that you
explicitly allow.

I'm not with the InfoSec group here at York, which means I only get
involved with incidents that are having a negative impact on the
network (a small percentage), so what I'm about to say should be
taken with a large grain of salt.  ACLs are useful, but at the end
of the day, proper preventative measures are a lot more useful. Our
ACLs have stopped a lot of crap from going in/out, but what really
caused the number of incidents to drop was the steps our infosec
people took that forced our users to install required windows
patches, run windows update automatically, and install a current
antivirus package, also with auto updates.

Depending on the size of your network/resnet, and the size of your
wallet, you might also want to consider one of the IPS products on
the market.  Again, I can't comment for our InfoSec people, but I'm
very happy with the IPS we bought and installed at our border.

Between the forced compliance, and the IPS I actually had a fairly
calm September this year (the first in a long time)

Well, that's my $0.02 worth.  Feel free to rip away :-).



Donal Lynch
Asst. Manager, CNS Network Operations, York University
email: donal at yorku.ca   voice: 416.736.2100 x20282

More information about the unisog mailing list