There are many other recommendations we could introduce as well and so for the end of this session we'll have a look at a few of them. In fact we could fill a book with these so let's have a look at some of the ones that are worth considering right now. First off we should look at implementing anti-spoofing at the border of your campus. This is the ITF standard known as BCP 38, the best current practice. Don't allow packets with source IP addresses other than from your own address space to exit your campus. Check that your NAT, if you're using NAT, only translates address space used internally in your campus. A common mistake is to translate any and every source IP address. There's a lot more about BCP 38 and anti-spoofing filtering on the MANRS website shown on the slide. MANRS is the Mutually Agreed Norms for Routing Security and the learn.nsrc.org website has several videos describing MANRS in much more detail. We recommend that all campus administrators have a look at that site and at the video content. Another recommendation is to block connections to port TCP 25 outbound from the network apart from the official trusted email servers. This is an industry best practice and is widely deployed by internet service providers and other network operators around the globe. Configure other servers and clients to use your campus mail servers for outbound email. This gives you much better control and insight into how mail is being used or abused across your network with anti-spam and anti-virus controls on the mail server. This helps prevent the campus address space from landing in spam blacklists and as many network administrators know, once you land on a blacklist it's quite challenging to get off it again. Just be aware users who are using public mail servers have nothing to fear from this because they will send the email via the submission protocol TCP 587. In fact some other public mail servers will use TCP 465 for sending emails securely. This requires authentication first before sending is possible so it's only possible for legitimate users with legitimate accounts. No end user ever needs to send email using TCP 25. Also consider rate limited UDP except for newer and video conferencing devices as this will help slow down bittorrent. Many campus administrators ask us how to block bittorrent and they think that simply blocking UDP will solve the problem. Well bittorrent will just move to using TCP and blocking TCP is another thing altogether. In fact if you try and block it at the TCP level as well, bittorrent will try and tunnel using IPv6 if the option is selected on the client. So rate limiting UDP is quite commonly implemented on many campus networks and that limits the impact that bittorrent can have on the infrastructure. So this concludes looking at some of the current best practices implemented for campus networks. There are many other best practices and as time goes in the future we will add to this video series to describe the configuration of some of those as applicable to a campus network.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.