MOVING TO A STATE OF (DEFAULT) DENIAL
ITS will set our network gateway to block externally initiated inbound network sessions by default, except to subnetworks and devices providing public services. This standard networking “best practice” will better protect the institution’s IT services and all devices on the Smith network by blocking unauthorized probing of the network and unauthorized use of Smith’s IT resources.
This change is expected to have no impact on normal end-user network activity. It affects endpoints with wired connections only, wireless endpoints are already in a “default deny inbound” network environment. The effect of implementing this change will mirror almost all “home” network configurations (if you didn’t set up special permitted access on your home network for your device, you won’t be affected by this change). Any network communications that originate from within the Smith network to external resources are not affected by this change. Common communications applications, such as Skype or instant messaging applications, are also not affected by this change.
Smith is implementing a common network configuration at our Internet gateway that will block unsolicited network communications from off campus to our network, and allowing only communication requests to public facing IT services we provide for off-campus use. This is a “best practices” configuration known as “inbound default deny” at the gateway that provides increased protection for Smith’s network, IT services, and every personal device that connects to our network.
A “best practices” network architecture only allows externally originated network traffic through to explicitly identified “public facing” subnets (often called the network’s “DMZ”) that provide IT services to off-premises constituents and public access, and blocks all other unsolicited external traffic to the rest of the network. This architecture is implemented at the firewall device at Smith’s Internet gateway, and will change from being open (“default allow”) for externally initiated inbound network sessions to a closed (“default deny”) block of these sessions, except to explicitly identified IT service providing subnets and endpoint devices. This greatly reduces the risks associated with the unauthorized scoping of Smith’s network environment, probing for potential weaknesses that could be exploited, and the unauthorized use of a variety of limited IT resources.
Prior to implementing this change, only a few high-risk network protocols are explicitly blocked. By default, most inbound communications initiated externally are permitted in to the entire network. This project will “flip” the default behavior by only allowing external inbound network sessions through to subnetworks and services identified as public facing, and blocking all other inbound attempts to initiate communications with the rest of the network.
If you have a network connected device that needs to be able to receive incoming network connections, please contact the ITS Support Center with details of your request. If you have additional questions or concerns about this change, please contact email@example.com.