Re: Stateful Perimeter Firewall

["Parker, Ron" <Ron.Parker () BRAZOSPORT EDU>]

You'll find that there are differences of opinion on this ranging from
heavy-duty lockdown to no perimeter firewall at all with good arguments
across the spectrum. We went from router ACLs to Checkpoint about nine
years ago and I've been very pleased with the control it has given us.
We do employ an outbound policy as well. You'll find that a large amount
of traffic is traversing your network that has no business doing so. I
do guest lectures for some of our classes here and I can ALWAYS find a
real-time example of port scans and other suspicious activities when I
do my demos. Granted that most of the action these days seems to be
social engineering through e-mail phishing attacks but I would not run a
network connected to the internet without a perimeter firewall. 

--
Ron Parker, Director of Information Technology, Brazosport College



 


________________________________

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean Halter
        Sent: Tuesday, October 13, 2009 8:11 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Stateful Perimeter Firewall
        
        

        We are considering setting up our firewalls in a stateful,
default deny manner.  Our folks would be able to communicate out
normally, but folks on the outside would only be able to access
resources for which there were explicit exceptions.  Anyone else doing
this that might give us pointers on what we need to do in advance and
what to watch for?  Is it problematic for certain types of software -
p2p, grid, etc.?  Is this, as some of our folks say, too corporate? 
        
        Thanks in advance, 
        Dean Halter
        IT Risk Management Officer
        University of Dayton
        
        "Security is a process, not a product."  Bruce Schneier