[SATLUG] Blocked ports on college campus

Brad Knowles brad at shub-internet.org
Tue Oct 21 15:44:09 CDT 2008


Jon Mark Allen wrote:

> of course.  with that argument, though, why not just remove all
> firewalls and give everyone unfettered access to all your internal
> servers, too?  After all, they're going to get in anyway, right?

We block inbound traffic to our servers from most networks, except for 
certain ports.  But this doesn't keep people from getting outside of our 
public network.

And there are all sorts of IDS and IPS systems that are in use on our 
networks, of which I only know a small fraction.  The users have to know 
that there's a certain amount of monitoring going on, because they do 
occasionally get nailed.

> There is *always* a way.  It's the admin's job to make it harder.
> Hopefully hard enough that any miscreants will try someone else's
> network instead.

What you really need to make sure that they know is not that they will be 
prevented, but that they will be detected, caught, and prosecuted if they 
participate in certain types of illegal activity.

As an educational institution, anything else should be generally allowed on 
the public networks.

-- 
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>


More information about the SATLUG mailing list