Educause Security Discussion mailing list archives
Re: Firewall Strategies
From: Dave Koontz <dkoontz () MBC EDU>
Date: Sat, 4 Feb 2006 12:14:03 -0500
Hopefully things have changed with Cisco's IOS firewall feature set. When we attempted to utilize that a couple years ago we had some major issues with our router. There was too much competition for resources, even on a 7000 series router with a fairly small user base. We ended up removing that function from the router and went with redundant inline PIX firewalls. This has worked much better for us. Like many, we use firewalls to block any uninitiated inbound traffic to our users. We do allow most outbound traffic that is initiated by the client, with the exception of SMTP which we have blocked due to potential SPAM/Virus issues. To keep things in check, we also use a PacketShaper to regulate traffic priorities to ensure key services get optimal bandwidth. There are also a host of other things we block in various ways, but I can't go into that here. We have not had any kick back what so ever from the campus community. Most are very appreciative of our efforts to help protect them. The added benefit here is that you will know exactly what is being run on your network, and can make necessary exceptions when warranted, or kill off un-needed services. --- Dave Koontz Mary Baldwin College -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Friday, February 03, 2006 5:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Firewall Strategies James Meyers wrote:
Hi. I'm new to this list and apologize in advance if this has been covered before. Just curious as to other universities success/failures regarding firewall strategies. We're trying to architect a strategy to protect our network, and could benefit from the experiences of others. Do you use a perimeter firewall? Have there been political hurdles to clear in order to do so? Do you have areas throwing up their own firewalls? What complications have you run into with various strategies? Any input will be appreciated.
We use Intrusion Prevention Systems and router ACLs at the perimeter. We're planning on adding the Cisco IOS firewall feature set on the perimeter routers to help fortify our inbound default deny policy that we implemented in November using ACLs. The policy we're trying to enforce is to disallow all inbound TCP connection requests except to systems (i.e. servers) on a white list. The IOS feature set may also be used as an IPSEC and/or SSL VPN termination point. I don't want to say too much about our internal controls on the list but they're all provisioned by IT. I'd like to add internal proxy type firewalls and web application intrusion prevention systems at some point though the latter may end up being host based rather than network based. Our populace has been very supportive of our network access controls. Gary Flynn Security Engineer James Madison University
Current thread:
- Firewall Strategies James Meyers (Feb 03)
- <Possible follow-ups>
- Re: Firewall Strategies Gary Flynn (Feb 03)
- Re: Firewall Strategies Dave Koontz (Feb 04)
- Re: Firewall Strategies Mark Bauer (Feb 04)
- Re: Firewall Strategies Christian Wilson (Feb 06)
- Re: Firewall Strategies Valdis Kletnieks (Feb 06)
- Re: Firewall Strategies Alan Amesbury (Feb 06)
- Re: Firewall Strategies Richard Hopkins (Feb 10)