Educause Security Discussion mailing list archives
Re: Stateful Perimeter Firewall
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Tue, 13 Oct 2009 11:17:09 -0400
We’ve done this with the exception that outbound ports are closed by default and openings have to be requested. Outbound port 25 is allowed only via a mail gateway, and internal users have to relay their mail off of the mail-gate. All P-to-P traffic is dropped at the perimeter. We do not have res halls, so there has not been much pushback in support of academic freedom. For those with res halls, even if those have to remain open outbound, it would be worthwhile to separate them from the administrative networks. Administrative networks must have a business justification for port openings. We have a lot of business subnets with highly regulated data, and those are managed more like Financial and Healthcare networks. It is important to document why a port opening was created, and routinely reassess the justification and need –as those change over time. We’re forming a security governance team where people can plead their case to have additional ports open. The team will review the risk associated with having the port open for general use. This gets IT out of the gatekeeper role and redirects network related risk management decisions to the business. Currently external vendors must come through an SSL VPN, and my roadmap has us moving to Xceedium to manage vendor access. This will allow us to provision vendor access to the box they need, and will disallow access to other devices. It also restricts the vendor from using their box to gain access to other devices on the internal network. http://www.xceedium.com This is by no means comprehensive – but this is also a very active thread with lots of other good ideas/practices. Best ‘O luck Dan Dan Jones, CGEIT, CISM IT Security Manager University of Massachusetts Medical School From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean Halter Sent: Tuesday, October 13, 2009 9:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Stateful Perimeter Firewall We are considering setting up our firewalls in a stateful, default deny manner. Our folks would be able to communicate out normally, but folks on the outside would only be able to access resources for which there were explicit exceptions. Anyone else doing this that might give us pointers on what we need to do in advance and what to watch for? Is it problematic for certain types of software – p2p, grid, etc.? Is this, as some of our folks say, too corporate? Thanks in advance, Dean Halter IT Risk Management Officer University of Dayton "Security is a process, not a product." Bruce Schneier
Current thread:
- Stateful Perimeter Firewall Dean Halter (Oct 13)
- <Possible follow-ups>
- Re: Stateful Perimeter Firewall Matthew Gracie (Oct 13)
- Re: Stateful Perimeter Firewall Gary Dobbins (Oct 13)
- Re: Stateful Perimeter Firewall Greene, Chip (Oct 13)
- Re: Stateful Perimeter Firewall Parker, Ron (Oct 13)
- Re: Stateful Perimeter Firewall Di Fabio, Andrea (Oct 13)
- Re: Stateful Perimeter Firewall Jones, Dan (Oct 13)
- Re: Stateful Perimeter Firewall Joe St Sauver (Oct 13)
- Re: Stateful Perimeter Firewall Matthew Wollenweber (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Bruce Curtis (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Flynn, Gerald (Oct 14)