Re: Firewall Strategies

[Dave Koontz <dkoontz () MBC EDU>]

Hopefully things have changed with Cisco's IOS firewall feature set.   When
we attempted to utilize that a couple years ago we had some major issues
with our router.  There was too much competition for resources, even on a
7000 series router with a fairly small user base.  We ended up removing that
function from the router and went with redundant inline PIX firewalls.  This
has worked much better for us.

Like many, we use firewalls to block any uninitiated inbound traffic to our
users.  We do allow most outbound traffic that is initiated by the client,
with the exception of SMTP which we have blocked due to potential SPAM/Virus
issues.  To keep things in check, we also use a PacketShaper to regulate
traffic priorities to ensure key services get optimal bandwidth.  There are
also a host of other things we block in various ways, but I can't go into
that here.

We have not had any kick back what so ever from the campus community.  Most
are very appreciative of our efforts to help protect them.  The added
benefit here is that you will know exactly what is being run on your
network, and can make necessary exceptions when warranted, or kill off
un-needed services.


---
Dave Koontz
Mary Baldwin College


-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Friday, February 03, 2006 5:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall Strategies

James Meyers wrote:

> Hi.  I'm new to this list and apologize in advance if this has been
> covered before.
>
> Just curious as to other universities success/failures regarding
> firewall strategies.  We're trying to architect a strategy to protect
> our network, and could benefit from the experiences of others.   Do you
> use a perimeter firewall?  Have there been political hurdles to clear
> in order to do so?  Do you have areas throwing up their own firewalls?
> What complications have you run into with various strategies?
>
> Any input will be appreciated.
We use Intrusion Prevention Systems and router ACLs at the perimeter. We're
planning on adding the Cisco IOS firewall feature set on the perimeter
routers to help fortify our inbound default deny policy that we implemented
in November using ACLs.
The policy we're trying to enforce is to disallow all inbound TCP connection
requests except to systems (i.e. servers) on a white list.
The IOS feature set may also be used as an IPSEC and/or SSL VPN termination
point.

I don't want to say too much about our internal controls on the list but
they're all provisioned by IT. I'd like to add internal proxy type firewalls
and web application intrusion prevention systems at some point though the
latter may end up being host based rather than network based.

Our populace has been very supportive of our network access controls.

Gary Flynn
Security Engineer
James Madison University