[unisog] Access lists for dorms

Daniel Feenberg feenberg at nber.org
Sat Dec 10 01:21:42 GMT 2005



On Fri, 9 Dec 2005, Rob Becker wrote:

> I am in the process of migrating our dorm network to it's own subnet.
> Once this is done I would like to put some access-lists in our routers
> to restrict traffic to other subnets.  At this point, I am considering
> limiting outgoing tcp 25 to only our mail server, limiting smb and afp

It is important to supervise port 25, or you will end up on DNSBLs and 
find your own mailserver on a nearby address has limited acceptability.

> connectivity to only the student file server and explicitly allowing tcp
> port 80 to a few webservers that students will need to access.  I would

The only Kansas City Art Institute graduate I know is now an accountant 
which suggests a broader range of possible interests than you give them 
credit for. Are you sure the list of webservers that students will need to 
access is so limited that you can keep a list of them on your router?

> like to also add some access lists that will keep our student traffic
> out to the internet as clean as possible from a worms/viruses
> standpoint.  Does anyone have suggestions as to ports that should be
> blocked outgoing to minimize botnet and other malicious traffic?  I
> realize that this traffic changes as new threats emerge, but I'm looking
> for any low hanging fruit regarding traffic that should not leave our
> network bound for the internet.  For the most part, we expect that our
> students will be using their campus network connectivity for web
> browsing, email and very little else.  We are an Art school and thus
> have no Computer Science or Math students who would have need of more
> open network connectivity.  Any suggestions, links to best practices
> documentation, etc greatly appreciated.
> Thanks.
> Rob
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>



More information about the unisog mailing list