I'm going to bypass the academic vs. non-academic security argument because I've worked everywhere, and from a security viewpoint, there is plenty of fail to go around. On Tue, Jun 11, 2013 at 09:37:04PM -0400, Ricky Beam wrote:
I run a default deny policy... if nothing asked for it, it doesn't get in.
This is a fine thing and good thing. But as you've expressed it here, it's incomplete, because of that last clause: "it doesn't get in". For default-deny to be effective, it has to be bidirectional. Please don't tell me it can't be done. I've done it. Repeatedly. It's a LOT of work. (Although progess in toolsets keeps making it easier.) But it's also essential, since your responsibility is not just to defend your operation from the Internet, but to defend the Internet from your operation. ---rsk