Re: [school-discuss] What should school firewalls keep in/out?

[Chris Hornbaker <chrishornbaker@earthlink.net>]

Where, oh where, to start. Well, doing a quick search on google using the 
phrase "commonly used ports" turned up quite a lot of feedback, with the 
"whys" already answered. This site: http://www.sans.org/y2k/ports.htm seems 
to be very detailed.

For K-12 schools, I think http _should_ be the only one open. If other ports 
are needed, leave them open too, but make sure they are _absolutely_ needed. 
They don't need to be in chat rooms or on ICQ, all they need is http, so they 
can search the web for information on the topic they are given.

Universities are a bit different, though. IRC is pretty important to some 
people. Computer Science students may want to join a project that goes along 
with what they'd like to do when they are out of school. Then they'll have 
some practice. But, what if the only good way to get involved is through a 
chat room? Then they can't do as much. (Yes, I know there are ways around 
this (i.e. mailing lists, etc., but I'm just trying to make a point.)

For both types of schools ALL FILE SHARING PORTS _SHOULD_ BE CLOSED! They are 
_not_ needed at all.

Really, that link above is very good and easy to follow. Follow it and any 
school should be in good shape.


Chris 

On Wednesday 06 March 2002 02:31 pm, you wrote:
> As someone who lives behind a school's firewall that blocks all but http, I
> have to wonder just what is necessary. I'd like to ask folks on this list
> for their considered opinions on this.
>
> My own view of the situation is that a school needs to keep its network
> open to work traffic and not-so-open to those who just "play." By the
> latter I mean those who actually play network games at times when others
> are trying to use the network to send/receive work/school-related stuff.
> Schools also have to worry about burglars (my name for what "bad" hackers
> do as a opposed to those who just hack), and, for their own protection
> against angry mobs, pornography.
>
> I'd prefer, for now, to leave mail and porno out of this. They are
> unavoidable issues and will present themselves for discussion often from
> now on, I'm sure. But I am concerned about how a network administrator
> should draw the line between work and play.
>
> My own bottom line is, as I've said before, a version of the Hippocratic
> oath, "No gatekeeping." That is, in learning institutions, those with
> technical knowledge and access should not prevent others from getting from
> what they have. A more positive version of this is, "enable learning."
> That's what I think educational technology is really all about. So, it
> should go without saying that  that gatekeeping would not qualify as
> enabling learning. But, it seems to me that that is exactly what network
> admins end up doing, all in the name of "for your protection."
>
> What services should be enabled, and which disabled and why?
>
> David