Re: Firewall Strategies

[Mark Bauer <mbauer () SKIDMORE EDU>]

At Skidmore we use a multi-layer defense. The border router stops all IANA reserved addresses as well as some of the 
nastier ports that have no real function inside the network. A Packeteer watches over the bandwidth and gives us a 
fairly decent look at the inbound. The firewalls are set with the last rule deny. Initially we thought this would have 
a huge impact on users, but the fact is most legal inbound traffic is heading for a server or been requested (web pages 
etc...) Very few users (around 1%) have firewall rules for themselves (we encourage VPN).
 
There are no political issues - thanks mostly to Blaster, Nachi and all of their friends since 2003 - as the campus 
community realizes what our protections do. Every new outbreak of something helps spread the word about why we need to 
lock things down as much as possible without getting in the way of academic freedom or the sharing of information. We 
have the policy of - if you request the hole, and it is not a huge security risk (like telnet to a major server) - 
we'll open it. It has reduced the tension, and resulted in very few requests. Few don't accept VPN as an alternative to 
a firewall hole.
 
Others do put firewalls up, most notably the Computer Science department, but so far there has been no conflict because 
of this. The original reasons for these has been removed - the students are now outsourced to RoadRunner, so their 
massively infected computers do not have the access to the network they once had.
 
We also use an IDP in the Internet path and have stealthwatch inside to watch over things.
 
 
Mark Bauer
Network Administrator
Skidmore College
 
 

________________________________

From: James Meyers [mailto:A02JDM1 () WPO CSO NIU EDU]
Sent: Fri 2/3/2006 4:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Firewall Strategies



Hi.  I'm new to this list and apologize in advance if this has been
covered before. 

Just curious as to other universities success/failures regarding
firewall strategies.  We're trying to architect a strategy to protect
our network, and could benefit from the experiences of others.   Do you
use a perimeter firewall?  Have there been political hurdles to clear in
order to do so?  Do you have areas throwing up their own firewalls?
What complications have you run into with various strategies? 

Any input will be appreciated.


Jim Meyers
Manager, IT Security
Northern Illinois University
jdmeyers () niu edu