[unisog] registering servers

Gary Flynn flynngn at jmu.edu
Tue Jul 25 18:45:07 GMT 2006


Cal Frye wrote:

>  Gary Flynn ventured to comment, at 7/25/06 9:08 AM:
> 
> 
>>We went to a default deny inbound TCP access policy for the
>>general population last November with almost no problems.
>>People desiring to expose a server to the Internet use a web
>>based form to request it. Inbound connections to student
>>addresses have been blocked since 2003 and to IT staff
>>and other sensitive addresses since 2004.
> 
> 
> Sounds great, Gary,
> Please help me understand the impact this policy has on VoIP calls, like
> Skype and others, to students from home. I know some of these use an
> external server, like AIM, so the connection is initiated from the
> inside, but my understanding is some do not -- or am I misinformed?

Cal,

I interpret the following document as saying that the application
is designed to work even if both clients are behind a firewall
blocking inbound connections by using a peer in the Skype
P2P network:

http://www.skype.com/security/guide-for-network-admins.pdf

> Have there been complaints from this direction, or is this traffic
> blocked by policy anyway on your campus?

I haven't heard of any complaints. I'm not sure if its because
nobody is using it, because it won't work and they're not
complaining, or because its working fine. I'm told our
Packeteer shows some Skype traffic but I don't have details.

We do not have a specific policy covering VOIP at this time
AFAIK.

If it became necessary to support it, it appears we could
select a port to use and open just one.

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2836 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20060725/2ad7e2f5/attachment.bin 


More information about the unisog mailing list