[unisog] Any Canadian Universities on here ?

Ramon Kagan rkagan at yorku.ca
Mon May 2 19:52:55 GMT 2005


HI,

I'm going to have to make a bit of a judgment on the interpretation of
your question.

...
 Filtering port 25 outbound with the exception of the ISP servers - what
are the impacts on edu users.
...

When you say ISP servers I assume you are talking about the University's
mail servers.

This mentality unfortunately doesn't translate to all environments,
especially edu.  Frequently universities have multiple IT groups
supporting their own e-mail system, with little interaction between
groups.  This results in what generally becomes a difficult administration
process, where changes must be communicated between the IT group making
the changes and the personnel responsible for the outbound "filter".
This would also require policy.

Furthermore, many researchers and other community members run their own
servers and this further amplifies the issue.  By definition (be it right
or wrong) university computing infrastructure is generally supposed to be
more "open".  By open I mean accessible.  This paradigm has its advantages
and disadvantages but I'm not going to tackle that here.

It is generally left to host-based authorization/authentication to
moderate inbound and outbound email traffic.  It is an imperfect solution
to an imperfect problem.

I'm going to assume that you are trying to tackle spam.  The use of other
technologies including IDS and IPS are the current methodology we use to
mitigate this problem.  Nonetheless a few incidents must first be recorded
before any action is taken (at least one has to occur before we alert on
it).  As such this is not an ideal solution either, but the best we have
to date.  Furthermore, we have seen some instances where the spam, being
the result of an infection of some sort, actually uses other protocols
(IRC) to eventually relay the email, so blindly blocking port 25 would
not resolve the problem entirely.

Overall, less used protocols such as databases and the like are able to
have such blanket rules with exceptions.  They also generally have some
sort of policy backing them up.  One must remember that the paranoia of
interrupting email in any way is extremely high.  It would seem as times
that email is on a pedestal of its own, where sacrifices (e.g. allow
virus-generated spam to be propagated) are made to ensure its
availability.

Ramon Kagan
York University, Computing and Network Services
Information Security  -  Senior Information Security Analyst
(416)736-2100 #20263
rkagan at yorku.ca

-----------------------------------   ------------------------------------
I have not failed.  I have just	       I don't know the secret to success,
found 10,000 ways that don't work.     but the secret to failure is
				       trying to please everybody.
	- Thomas Edison				- Bill Cosby
-----------------------------------   ------------------------------------

On Mon, 2 May 2005, Paul Ryan wrote:

> Hi Ramon,
> Are you in a position to answer the following - espescially as it relates to
> your users offsite etc.
>
>
> Filtering port 25 outbound with the exception of the ISP servers - what are
> the impacts on edu users.
>
> regards,
>
> Paul Ryan
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org]On Behalf Of Ramon Kagan
> Sent: Monday, May 02, 2005 2:24 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Any Canadian Universities on here ?
>
>
> York University here.
>
> Ramon Kagan
> York University, Computing and Network Services
> Information Security  -  Senior Information Security Analyst
> (416)736-2100 #20263
> rkagan at yorku.ca
>
> -----------------------------------   ------------------------------------
> I have not failed.  I have just	       I don't know the secret to success,
> found 10,000 ways that don't work.     but the secret to failure is
> 				       trying to please everybody.
> 	- Thomas Edison				- Bill Cosby
> -----------------------------------   ------------------------------------
>
> On Mon, 2 May 2005, Paul Ryan wrote:
>
> > just trying to gauge the # of Canadian edu institutions on this list ?
> >
> > regards,
> >
> > Paul R
> >
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> >
> >
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
>


More information about the unisog mailing list