Educause Security Discussion mailing list archives
Firewall Exceptions
From: Kim Cary <Kim.Cary () PEPPERDINE EDU>
Date: Fri, 16 Mar 2007 08:43:41 -0700
On Wed, 2007-03-14 at 16:33 -0500, Greg T. Grimes wrote:1. Who manages your firewalls? Central IT, Department IT?Central.2. Do you you require approval for an exception in a firewall for a network?Exceptions are not allowed, but there is a mechanism for departmental servers.a. If so, who approves?Information Securityb. What is the approval process?Person wanting exception submits a request via email. They are redirected to server engineering and web services to use central resources. If that solution doesn't fit they may sign an agreement to place the system in an "Internet Server Zone" subnet near their user net. These subnets are outside our normal 'default deny inbound' in a 'deny known bad' subnet. Our poster-child for departmental servers is a system run on a grant which collects radio data from a buoy in the ocean that is picked up from the system by researchers at another institution. Why isn't this server in the datacenter? 1) the grant can't pay the monthly charge and 2) the datacenter can't accommodate the antenna. Our poster-child for the redirected exception request is the faculty website; everyone who has had their own system, proudly, for years, has migrated to central server because the liability to them on being hacked hasn't seemed worth the 'vanity' domain name.c. Do you use a form?Paper form for signatures; data entered into a database (for future connection to automated Nessus scanner). PI/Administrator and Tech Contact sign, agreeing to the following for their system in the "Internet Server Zone": 1) maintain host fw, 2) maintain o/s & app patches, 3) system must withstand all vulnerability scans without complaint and 4) if anything looks fishy, InfoSec may block first and notify later.3. What exceptions do you allow or disallow?Exceptions have an security impact beyond the 'allowed port may be attacked' angle. They tend to become 'immortal children' that live on beyond the uses or persons that generated them. As such, they add to complexity indefinitely and the maintenance/generation of exceptions distracts from and displaces security analysis. This is why we don't make exceptions for individual machines, but rather place the machine in an exception Zone and make the exception generators accountable.
Current thread:
- Firewall Exceptions Kim Cary (Mar 16)