Educause Security Discussion mailing list archives
Re: Stateful Perimeter Firewall
From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Tue, 13 Oct 2009 09:18:38 -0400
Dean Halter wrote:
We are considering setting up our firewalls in a stateful, default deny manner. Our folks would be able to communicate out normally, but folks on the outside would only be able to access resources for which there were explicit exceptions. Anyone else doing this that might give us pointers on what we need to do in advance and what to watch for? Is it problematic for certain types of software – p2p, grid, etc.? Is this, as some of our folks say, too corporate?
This is exactly how we have things set up, and it hasn't been a problem. Two comments: I would advise is that you have a procedure beforehand for requesting firewall holes -- and make sure that you keep track of who requests them and expire periodically. We check every six months to make sure that holes are still required. Also, you might want to log firewall traffic for a while before setting up the default deny, just to get an idea of what systems are being accessed often from the outside. That will give you a good starting point for your initial ruleset. --Matt -- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- Stateful Perimeter Firewall Dean Halter (Oct 13)
- <Possible follow-ups>
- Re: Stateful Perimeter Firewall Matthew Gracie (Oct 13)
- Re: Stateful Perimeter Firewall Gary Dobbins (Oct 13)
- Re: Stateful Perimeter Firewall Greene, Chip (Oct 13)
- Re: Stateful Perimeter Firewall Parker, Ron (Oct 13)
- Re: Stateful Perimeter Firewall Di Fabio, Andrea (Oct 13)
- Re: Stateful Perimeter Firewall Jones, Dan (Oct 13)
- Re: Stateful Perimeter Firewall Joe St Sauver (Oct 13)
- Re: Stateful Perimeter Firewall Matthew Wollenweber (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Bruce Curtis (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
(Thread continues...)