[unisog] Access lists for dorms
feenberg at nber.org
Sat Dec 10 01:21:42 GMT 2005
On Fri, 9 Dec 2005, Rob Becker wrote:
> I am in the process of migrating our dorm network to it's own subnet.
> Once this is done I would like to put some access-lists in our routers
> to restrict traffic to other subnets. At this point, I am considering
> limiting outgoing tcp 25 to only our mail server, limiting smb and afp
It is important to supervise port 25, or you will end up on DNSBLs and
find your own mailserver on a nearby address has limited acceptability.
> connectivity to only the student file server and explicitly allowing tcp
> port 80 to a few webservers that students will need to access. I would
The only Kansas City Art Institute graduate I know is now an accountant
which suggests a broader range of possible interests than you give them
credit for. Are you sure the list of webservers that students will need to
access is so limited that you can keep a list of them on your router?
> like to also add some access lists that will keep our student traffic
> out to the internet as clean as possible from a worms/viruses
> standpoint. Does anyone have suggestions as to ports that should be
> blocked outgoing to minimize botnet and other malicious traffic? I
> realize that this traffic changes as new threats emerge, but I'm looking
> for any low hanging fruit regarding traffic that should not leave our
> network bound for the internet. For the most part, we expect that our
> students will be using their campus network connectivity for web
> browsing, email and very little else. We are an Art school and thus
> have no Computer Science or Math students who would have need of more
> open network connectivity. Any suggestions, links to best practices
> documentation, etc greatly appreciated.
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog