[unisog] registering servers

Barry Lynam b.lynam at qut.edu.au
Wed Jul 26 00:22:34 GMT 2006


We have had a similar policy for about 10 years, in fact we have no 
inbound or outbound traffic by default.  Started out as a paper based 
system, then wrote our own custom web app so that support staff could 
register there servers.  The system automatically runs a nessus scan so 
that when we approve it, we have some sort of idea of the "security" 
level of the system.  We do ask support staff to fix problems on 
occasion before we approve it.  The rules are then added to the 
firewall(s).  We don't say an absolute no to much, smtp (25/tcp) in and 
out bound, and no windows type traffic (135-139,445 tcp/udp in and out), 
but if the area has a legitimate business reason to have it exposed to 
the Internet then it is allowed, ie we make a risk assessment.

Outbound client access to also default deny, we have a system where 
clients authenticate via a web interface that then allows outbound 
connections.  This works with most applications, but not all.  Some of 
the video conferencing apps don't work, we are looking into how 
packet/application inspection on the firewall can help.

Barry Lynam





Jordan Wiens wrote:
> We've got a policy of blocking outbound port 25 and requiring mail 
> servers to be registered.  This has saved us a lot of headaches over the 
> past few years and we're looking at what other Universities have done in 
> regards to registering other services besides just outbound mail.
>
> Can those who have experience with registering some or all of the 
> services on their campus before allowing access comment to me (either 
> off or on list) and I'll report with a summary of the results?
>
> I'm specifically interested in how much work it was to implement, 
> whether you have stuck with the initial design, unforeseen problems, 
> whether the benefits outweigh the cost, etc.
>
>   

-- 
 Barry Lynam                            Phone: +61 7 3864 9408
 Team Leader, IT Security                 Fax: +61 7 3864 2921
 Network Services                      Postal: I.T. Services
 Information Technology Services               Level 12, 126 Margaret St
 Queensland University of Technology           GPO Box 2434
 CRICOS No 00213J                              Brisbane QLD 4001
 Email: b.lynam at qut.edu.au                     AUSTRALIA
                 http://www.qut.edu.au/security/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20060726/d0fca752/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3174 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20060726/d0fca752/attachment.bin 


More information about the unisog mailing list