Educause Security Discussion mailing list archives
Re: Too Many Exceptions in the Firewall
From: Peter Wan <peter.n.wan () GMAIL COM>
Date: Wed, 1 Nov 2006 11:25:06 -0500
On 11/1/06, David Buckley <david () clemson edu> wrote:
Hello All, I would like to solicit the input of this list concerning some recent issues we are having with incoming faculty. We have recently hired some "high profile" faculty that was sought out by the administration to help compete on a national level. The problem that we have is the moment the new faculty members arrive, they begin screaming because their systems under their desks are not accessible from outside and we are impeding their research. We have a perimeter firewall that does not except any inbound un-initiated requests. We attempt to offer centralized services for web hosting, database services, etc… The problem seems to be that the faculty wants to be able to touch the systems providing the hosting and be able to show off their quad-core Apple servers pulsing in their office. They also go right to the top (CIO) and fuss causing him in turn to ask us to fix it immediately…therefore causing the firewall exception. Our worry is that this exception will soon be (or already is) out of hand and faculty will spread the word of these exceptions. I know that not everyone supports perimeter firewalls but that has been our best solution for the time being considering man power/resources. Some questions I have on this are:
Hello David, I am the Firewall Services Manager at Georgia Institute of Technology. We use a few ACLs on our border gateway routers, and then have Pix firewalls in front of over 130 subnets for the 3.5 class B address ranges that we own. The ACLs at the border kill things like file sharing, TFTP, SNMP, and other services which should not be crossing our border. The Pix firewalls are virtual instances on Firewall Service Modules that plug into our router/switch chassis. These Pix firewalls are configured in "default deny" mode, similar to the way you have yours configured.
How are you dealing with these issues? Do you have a policy that addresses this?
We have a Change Request Process that a designated representative (or representatives) from the department/unit can use to generate a Remedy ticket to make a change request. I review the request for compliance to our Computing/Networking Usage/Security Policy. I also request further information (Nessus or other vulnerability scan on the system(s) in question to verity that the requested port doesn't have exploitable bugs or configuration errors for the service) and if the request has an acceptable risk, I send the ticket to the firewall team for implementation (I am the Senior Information Security Engineer in the security group, and there is a separate network group which has control of the firewalls and other network devices).
Do you have SLA's that address this?
Our agreement is that we will handle requests within 72 hours if possible. Sometimes it is not possible (such as when systems are found to be not up-to-date on patches, etc.). Subject to our vulnerability scan, we open ports that are reasonable for the unit to conduct business; we try to encourage them to use VPNs or have one SSH server through which all their unit's traffic can traverse, but sometimes the unit has different servers for different service classes or internal units so we deal with those on a case-by-case basis.
How do you reveal the responsibility for the data to the department?
Not sure what you mean by this.
Has anyone delegated firewall exceptions to the discretion of the department? Does that work well?
We have only a limited number of departments who have been delegated control of their routers and firewalls; most other departments go through the chnage process I described to effect changes in their firewall policies.
What other protections do you have in place to augment the security for the exceptions?
We scan our entire address range twice a year with vulnerability scanners, and we scan hosts that are the subject of change requests to look for issues in the ports being requested.
Also, if anyone has transitioned from perimeter firewalls to a more layered approach, please describe your migration steps.
We never had a perimeter firewall, only ACLs on the border router. Those are still in place to protect the unfirewalled parts of campus. Peter Wan Senior Information Security Engineer Georgia Institute of Technology Atlanta, Georgia 30332-0700 peter.wan () oit gatech edu
Thanks, David Buckley, CISSP Security Consultant Clemson University
-- Peter Wan <peter.n.wan () gmail com>
Current thread:
- Too Many Exceptions in the Firewall David Buckley (Nov 01)
- <Possible follow-ups>
- Re: Too Many Exceptions in the Firewall Graham Toal (Nov 01)
- Re: Too Many Exceptions in the Firewall Kellogg, Brian D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Jenkins, Matthew (Nov 01)
- Re: Too Many Exceptions in the Firewall Peter Wan (Nov 01)
- Re: Too Many Exceptions in the Firewall HALL, NATHANIEL D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Mark Rogowski (Nov 01)
- Re: Too Many Exceptions in the Firewall Gary Flynn (Nov 01)
- Re: Too Many Exceptions in the Firewall Bob Kehr (Nov 01)
- Re: Too Many Exceptions in the Firewall Randy Marchany (Nov 01)
- Re: Too Many Exceptions in the Firewall Russell Fulton (Nov 01)
- Re: Too Many Exceptions in the Firewall Pufahl, Jason (Nov 08)
- Re: Too Many Exceptions in the Firewall Michael Sinatra (Nov 10)