Educause Security Discussion mailing list archives
Re: Firewall - Egress Policy
From: Jack Suess <jack () UMBC EDU>
Date: Mon, 4 Sep 2006 19:59:17 -0400
What we did for game ports (and SMTP beyond our campus) in resnet is set up a separate VPN concentrator for resnet students that bypassed the firewall rules. Essentially this provided them a tunnel through resnet and the campus network security that they can use for games. We tell students if we find them with security violations we will disable their use of the VPN. We use our IDS to monitor the traffic for security violations and have a session timeout of 8 or 9 hours so they can't stay logged in for the semester. In general it allowed us to provide a way out for those that really wanted to use it. In addition, it was more standard and less work than trying to figure out what the games required open (which I agree is rediculous). We didn't actively promote this and basically used it to respond to kids complaining that they spent $$ on a game subscription or needed to communicate with an outside SMTP server for work. jack On 9/4/06 4:09 PM, "Cal Frye" <cjf () CALFRYE COM> wrote:
Chris Golden ventured to comment, at 9/4/06 11:10 AM:I am struggling keeping up with outbound firewall rules pertaining to games and other gaming apps (i.e Ventrillo, Teamspeak, PS2, Xbox live). We have a policy allowing approved gaming ports to be opened after 5pm M-F and all day on the weekends. However, as more and more games come out requiring 4,000+ ports I am starting to think this is pointless. I see the need for filtering out certain ports such as SMTP, SNMP, MS RPC, NetBios, SMB/IP, TFTP, IRC (6000-6999) but it would be easier to create rules for these ports and allow others. What are some of your thoughts/policies on this?I'm with Gary, in that we use our Packetshaper to manage some of this stuff. Specifically with game applications, 1) You'll get no help from most game developers, who consider you the enemy. It's remarkably difficult to obtain server IP/port information on many of these games, etc. They in turn don't understand the shift from default-admit to default-deny firewall administration ;-) 2) You could just shut all these ports off, if your office location is unknown to your students and your underwear is flameproof. Trying to help these many applications work across a bandwidth manager or firewall nearly requires a stateful and deep-inspection approach to be most effective. Too bad those boxes are more expensive. For the most part, Oberlin uses firewalls to protect core services from Internet and student users alike, and our edge firewall only filters out the most egregious junk. I apologize in advance for what we let them do to others! (we're improving on our identification of outbound bad traffic, but don't block much by default) I think the most important thing we can do is lean on the game developers to improve their transparency and consistency. Ventrillo is currently driving me nuts, in that each server seems to use a different random port, making it very difficult to be kind to them. It's true, if all ventrillo servers worked on a standard port it would be easier to shut that off, but it would be just as easy to permit it. Of course, if we all were to become hardnosed about it, everything would switch to port 80, I suppose ;-) Good question; I don't believe I have the right answer for this question yet, myself.
Current thread:
- Firewall - Egress Policy Chris Golden (Sep 04)
- <Possible follow-ups>
- Re: Firewall - Egress Policy Gary Flynn (Sep 04)
- Re: Firewall - Egress Policy Cal Frye (Sep 04)
- Re: Firewall - Egress Policy Jack Suess (Sep 04)
- Re: Firewall - Egress Policy Steve Lovaas (Sep 05)
- Re: Firewall - Egress Policy Bruce Curtis (Sep 05)