[unisog] Access lists for dorms

Stasiniewicz, Adam stasinia at msoe.edu
Sat Dec 10 00:44:15 GMT 2005


You should block the following sets for outbound internet access:
-1433, 1434 MSSQL (there are still computers out there with slammer...)
-135, 136, 137, 138, 139, 445, and 1025-1032 File Sharing (obviously
allow to the file server, but not anywhere else).

It goes without saying that you should drop all incoming traffic that is
not destined for a server.

If you do block 25 make sure to allow for an "opt-out" system so people
who do really need to send emails to personal email accounts can.

Don't block 21.  There are few if any viruses that use FTP, you will
hurt much more than gain.  Also, many places do use FTP for file hosting
because of the slight performance gain from using it.

Also you should block all traffic bound for other parts of the internal
network that you don't specifically allow (i.e. SMB to file server).

Hope that helps,
Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Rob Becker
Sent: Friday, December 09, 2005 3:44 PM
To: unisog at lists.sans.org
Subject: [unisog] Access lists for dorms

I am in the process of migrating our dorm network to it's own subnet.
Once this is done I would like to put some access-lists in our routers
to restrict traffic to other subnets.  At this point, I am considering
limiting outgoing tcp 25 to only our mail server, limiting smb and afp
connectivity to only the student file server and explicitly allowing tcp
port 80 to a few webservers that students will need to access.  I would
like to also add some access lists that will keep our student traffic
out to the internet as clean as possible from a worms/viruses
standpoint.  Does anyone have suggestions as to ports that should be
blocked outgoing to minimize botnet and other malicious traffic?  I
realize that this traffic changes as new threats emerge, but I'm looking
for any low hanging fruit regarding traffic that should not leave our
network bound for the internet.  For the most part, we expect that our
students will be using their campus network connectivity for web
browsing, email and very little else.  We are an Art school and thus
have no Computer Science or Math students who would have need of more
open network connectivity.  Any suggestions, links to best practices
documentation, etc greatly appreciated.
Thanks.
Rob


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list