[Micronet] Fwd: [UCB-NET-ANNOUNCE] ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Fwd: [UCB-NET-ANNOUNCE] ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630

Johnathon P. Kogelman
This came across another list and I'm concerned that it was not posted to MicroNet as well because it will affect most departments on Campus. This has been discussed in the past and departments strongly recommended that these blocks remain in-place. The blocking of these ports provide a defense against zero day exploits. Hopefully, IS&T will delay this change until Campus has a chance to weigh in.


-------- Original Message --------
Subject: [UCB-NET-ANNOUNCE] ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630
Date: Thu, 11 Aug 2011 17:18:12 -0700
From: [hidden email]
Reply-To: [hidden email]
Organization: IST-Infrastructure Services
To: [hidden email]


 ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630

Equipment: inr-001 and inr-002 campus border routers
Location: campus-wide impact
Date: wednesday 17 aug 2011 Start: 0600 End: 0630

Description:
next wednesday, 8/17/2011, i will be removing the microsoft port
blocks from the campus border routers. the currently blocked ports
which will be opened up are these:

   135/tcp, 139/tcp, 445/tcp, 593/tcp
   135/udp, 137/udp, 138/udp, 445/udp

network traffic inbound to campus from outside campus or outbound
from campus to outside campus, using these ports, has been blocked
at the border for many years.

campus admins concerned about exposure of their systems to/from
external computers via these ports may wish to configure local
blocks on either host firewall software or on any firewall
appliance hardware on their subnet(s).

ken lindahl
IST-Telecommunications-NOS



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Fwd: [UCB-NET-ANNOUNCE] ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630

paul rivers

I'm only the unofficial messenger here, but there will be more soon on
Micronet and other sources on exactly this issue.  That should happen today.

Regards,
Paul

On 08/12/2011 11:00 AM, Johnathon P. Kogelman wrote:

> This came across another list and I'm concerned that it was not posted
> to MicroNet as well because it will affect most departments on Campus.
> This has been discussed in the past and departments strongly recommended
> that these blocks remain in-place. The blocking of these ports provide a
> defense against zero day exploits. Hopefully, IS&T will delay this
> change until Campus has a chance to weigh in.
>
>
> -------- Original Message --------
> Subject: [UCB-NET-ANNOUNCE] ANNOUNCEMENT campus-wide impact wednesday
> 17 aug 2011 0600 - 0630
> Date: Thu, 11 Aug 2011 17:18:12 -0700
> From: [hidden email]
> <mailto:[hidden email]>
> Reply-To: [hidden email]
> <mailto:[hidden email]>
> Organization: IST-Infrastructure Services
> To: [hidden email]
> <mailto:[hidden email]>
>
>
>
>  ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630
>
> Equipment: inr-001 and inr-002 campus border routers
> Location: campus-wide impact
> Date: wednesday 17 aug 2011 Start: 0600 End: 0630
>
> Description:
> next wednesday, 8/17/2011, i will be removing the microsoft port
> blocks from the campus border routers. the currently blocked ports
> which will be opened up are these:
>
>    135/tcp, 139/tcp, 445/tcp, 593/tcp
>    135/udp, 137/udp, 138/udp, 445/udp
>
> network traffic inbound to campus from outside campus or outbound
> from campus to outside campus, using these ports, has been blocked
> at the border for many years.
>
> campus admins concerned about exposure of their systems to/from
> external computers via these ports may wish to configure local
> blocks on either host firewall software or on any firewall
> appliance hardware on their subnet(s).
>
> ken lindahl
> IST-Telecommunications-NOS
>
>
>
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] [UCB-NET-ANNOUNCE] ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630

billallison
Hi Micronet

I've watched the evolving threads on the CISPC list, Micronet and the campus security list about the UCB-NET-ANNOUNCE posting yesterday that informed us all that some border port blocks for will be removed on 8/17.   Since this all originated with an email request from me,  I wanted to provide you all with full transparency, and to share the origins of that request so the community can engage in discussion and we can have the right policy and impact assessment before any changes are made.

>From where I am sitting in Campus Technology Services, I'm very aware that the quality of the computing experience for many campus end users has room for improvement.  I received a sudden inflow of (pent up) complaints involving sluggish/hanging performance of Windows machines, and specific problems with file shares not working off-campus, to a degree that impacts staff's ability to get the work of the University done.   I recalled much of the discussion from CISPC a few years ago and in discussion with our service providers, thought it possible that the volume and intensity of complaints have escalated because of  the changing  nature of how people work -- more people are working remotely, and using laptops, including more primary use of notebooks or laptops in lieu of RDP'ing in to their desktop computers.  While some are using the VPN to get around this, when I discussed the problem with Docs and the IST Windows team their consensus matched ours that we should seek to remove the border blocks.

None of us are authorized to make that decision, but I wrote a note to Michael Green and other service providers, and conveyed concerns which had come to me and mentioned the position of campus senior leadership on the larger question of their poor end user experience, and I asked if the border blocks could be removed saying I believed they contributed to the problem.    

On re-reading my email this morning, I realize that my language inadvertently gave Network Services the impression that there had been a higher level of authorization for this change request than there had been -- I was asking if the change could be made not informing them it was authorized or dictating a specific timeframe other than "soon".  Network Services, trying to be operationally excellent, jumped on the request.  I absolutely do not want to negatively impact campus or blindside people with an unanticipated change, just had wanted to add a request into the pipeline.  What I should have done was made the original request via CISPC at which point we could have determined what additional outreach to campus was necessary to fully assess the impact of this change.

CISPC is scheduled to discuss this issue at their meeting next week. I will ask CISPC leadership to report back the outcomes of next week's meeting, including what, if any, next steps will be needed.   As of now, I have retracted my request pending CISPC review and an authorized campus decision -- the port removal is on hold pending that review.

Thanks a lot,
Bill



On Aug 12, 2011, at 11:06 AM, paul rivers wrote:

>
> I'm only the unofficial messenger here, but there will be more soon on
> Micronet and other sources on exactly this issue.  That should happen today.
>
> Regards,
> Paul
>
> On 08/12/2011 11:00 AM, Johnathon P. Kogelman wrote:
>> This came across another list and I'm concerned that it was not posted
>> to MicroNet as well because it will affect most departments on Campus.
>> This has been discussed in the past and departments strongly recommended
>> that these blocks remain in-place. The blocking of these ports provide a
>> defense against zero day exploits. Hopefully, IS&T will delay this
>> change until Campus has a chance to weigh in.
>>
>>
>> -------- Original Message --------
>> Subject: [UCB-NET-ANNOUNCE] ANNOUNCEMENT campus-wide impact wednesday
>> 17 aug 2011 0600 - 0630
>> Date: Thu, 11 Aug 2011 17:18:12 -0700
>> From: [hidden email]
>> <mailto:[hidden email]>
>> Reply-To: [hidden email]
>> <mailto:[hidden email]>
>> Organization: IST-Infrastructure Services
>> To: [hidden email]
>> <mailto:[hidden email]>
>>
>>
>>
>> ANNOUNCEMENT campus-wide impact wednesday 17 aug 2011 0600 - 0630
>>
>> Equipment: inr-001 and inr-002 campus border routers
>> Location: campus-wide impact
>> Date: wednesday 17 aug 2011 Start: 0600 End: 0630
>>
>> Description:
>> next wednesday, 8/17/2011, i will be removing the microsoft port
>> blocks from the campus border routers. the currently blocked ports
>> which will be opened up are these:
>>
>>   135/tcp, 139/tcp, 445/tcp, 593/tcp
>>   135/udp, 137/udp, 138/udp, 445/udp
>>
>> network traffic inbound to campus from outside campus or outbound
>> from campus to outside campus, using these ports, has been blocked
>> at the border for many years.
>>
>> campus admins concerned about exposure of their systems to/from
>> external computers via these ports may wish to configure local
>> blocks on either host firewall software or on any firewall
>> appliance hardware on their subnet(s).
>>
>> ken lindahl
>> IST-Telecommunications-NOS
>>
>>
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.