Re: [school-discuss] What should school firewalls keep in/out?

[Cameron Miller <cdmiller@adams.edu>]

Uh Yeah, Well,

Chris Hornbaker wrote:

> Where, oh where, to start. Well, doing a quick search on google using the 
> phrase "commonly used ports" turned up quite a lot of feedback, with the 
> "whys" already answered. This site: http://www.sans.org/y2k/ports.htm seems 
> to be very detailed.


Yes, it has some nice detail.  Here is some more.  All ports are 
commonly probed, a portscan generally checks for any open ports, 
afterwards an attacker may try a targed approach.  Most attacks seen 
these days are automated worms which often result in endless HTTP 
queries for known vulnerabilities.

Often, the security of a service depends on the configuration and 
maintenance of that service, period.


> 
> For K-12 schools, I think http _should_ be the only one open. If other ports 
> are needed, leave them open too, but make sure they are _absolutely_ needed. 
> They don't need to be in chat rooms or on ICQ, all they need is http, so they 
> can search the web for information on the topic they are given.


Only allowing http solves no existing problems and creates new ones 
everytime someone wants to do more than offer up a web page on port 80. 
  Have you asked the user population what they think they need?


> 
> Universities are a bit different, though. IRC is pretty important to some 
> people. Computer Science students may want to join a project that goes along 
> with what they'd like to do when they are out of school. Then they'll have 
> some practice. But, what if the only good way to get involved is through a 
> chat room? Then they can't do as much. (Yes, I know there are ways around 
> this (i.e. mailing lists, etc., but I'm just trying to make a point.)


Yeah, most Universities have a pretty good clue and offer Internet 
access, not just a port 80 Television service.

 
> For both types of schools ALL FILE SHARING PORTS _SHOULD_ BE CLOSED! They are 
> _not_ needed at all.


Uh, gee, last time I checked the sharing of files was the reason for a 
network and the internet.  If you want to stop file sharing you better 
get out the scissors to disable the network cables and remove all floppy 
disk drives for a start.  You may want to install lots of shielding to 
get rid of that dangerous wireless stuff you may have heard about.  And 
tin foil hats might be a good idea.


> Really, that link above is very good and easy to follow. Follow it and any 
> school should be in good shape.


The link above leaves a lot to be desired.  FTP is open to bounce 
attacks, if your FTP server is 10 years old. SSH is commonly probed, so 
what?  SMTP is simple mail transport protocol, better tell the office of 
homeland security about that one.  And whatever you do, dont run the X 
Window System, (Calling it X-Windows is bad form and indicates ignorance 
of what X is all about).  If you block off a bunch of high level ports 
and try to offer anonymous FTP downloads of course materials you just 
shot yourself in the foot.  The list has some good info if you can read 
through the FUD.

End of rant.

Sorry to get crochety, I feel strongly about Internet accessibility issues.

- cameron


> 
> Chris 
> 
> On Wednesday 06 March 2002 02:31 pm, you wrote:
> 
>>As someone who lives behind a school's firewall that blocks all but http, I
>>have to wonder just what is necessary. I'd like to ask folks on this list
>>for their considered opinions on this.
>>
>>My own view of the situation is that a school needs to keep its network
>>open to work traffic and not-so-open to those who just "play." By the
>>latter I mean those who actually play network games at times when others
>>are trying to use the network to send/receive work/school-related stuff.
>>Schools also have to worry about burglars (my name for what "bad" hackers
>>do as a opposed to those who just hack), and, for their own protection
>>against angry mobs, pornography.
>>
>>I'd prefer, for now, to leave mail and porno out of this. They are
>>unavoidable issues and will present themselves for discussion often from
>>now on, I'm sure. But I am concerned about how a network administrator
>>should draw the line between work and play.
>>
>>My own bottom line is, as I've said before, a version of the Hippocratic
>>oath, "No gatekeeping." That is, in learning institutions, those with
>>technical knowledge and access should not prevent others from getting from
>>what they have. A more positive version of this is, "enable learning."
>>That's what I think educational technology is really all about. So, it
>>should go without saying that  that gatekeeping would not qualify as
>>enabling learning. But, it seems to me that that is exactly what network
>>admins end up doing, all in the name of "for your protection."
>>
>>What services should be enabled, and which disabled and why?
>>
>>David
>>
> 
> 
> 
> 



-- 
- cameron miller
- UNIX Systems Administrator
- Pipeline Fool
- (719)587-7685
- cdmiller@adams.edu