Educause Security Discussion mailing list archives
Re: Firewall Strategies
From: Mark Bauer <mbauer () SKIDMORE EDU>
Date: Sat, 4 Feb 2006 13:49:13 -0500
At Skidmore we use a multi-layer defense. The border router stops all IANA reserved addresses as well as some of the nastier ports that have no real function inside the network. A Packeteer watches over the bandwidth and gives us a fairly decent look at the inbound. The firewalls are set with the last rule deny. Initially we thought this would have a huge impact on users, but the fact is most legal inbound traffic is heading for a server or been requested (web pages etc...) Very few users (around 1%) have firewall rules for themselves (we encourage VPN). There are no political issues - thanks mostly to Blaster, Nachi and all of their friends since 2003 - as the campus community realizes what our protections do. Every new outbreak of something helps spread the word about why we need to lock things down as much as possible without getting in the way of academic freedom or the sharing of information. We have the policy of - if you request the hole, and it is not a huge security risk (like telnet to a major server) - we'll open it. It has reduced the tension, and resulted in very few requests. Few don't accept VPN as an alternative to a firewall hole. Others do put firewalls up, most notably the Computer Science department, but so far there has been no conflict because of this. The original reasons for these has been removed - the students are now outsourced to RoadRunner, so their massively infected computers do not have the access to the network they once had. We also use an IDP in the Internet path and have stealthwatch inside to watch over things. Mark Bauer Network Administrator Skidmore College ________________________________ From: James Meyers [mailto:A02JDM1 () WPO CSO NIU EDU] Sent: Fri 2/3/2006 4:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Firewall Strategies Hi. I'm new to this list and apologize in advance if this has been covered before. Just curious as to other universities success/failures regarding firewall strategies. We're trying to architect a strategy to protect our network, and could benefit from the experiences of others. Do you use a perimeter firewall? Have there been political hurdles to clear in order to do so? Do you have areas throwing up their own firewalls? What complications have you run into with various strategies? Any input will be appreciated. Jim Meyers Manager, IT Security Northern Illinois University jdmeyers () niu edu
Current thread:
- Firewall Strategies James Meyers (Feb 03)
- <Possible follow-ups>
- Re: Firewall Strategies Gary Flynn (Feb 03)
- Re: Firewall Strategies Dave Koontz (Feb 04)
- Re: Firewall Strategies Mark Bauer (Feb 04)
- Re: Firewall Strategies Christian Wilson (Feb 06)
- Re: Firewall Strategies Valdis Kletnieks (Feb 06)
- Re: Firewall Strategies Alan Amesbury (Feb 06)
- Re: Firewall Strategies Richard Hopkins (Feb 10)