Educause Security Discussion mailing list archives
Re: Stateful Perimeter Firewall
From: Bruce Curtis <bruce.curtis () NDSU EDU>
Date: Tue, 13 Oct 2009 13:14:45 -0500
On Oct 13, 2009, at 8:10 AM, Dean Halter wrote:
We are considering setting up our firewalls in a stateful, default deny manner. Our folks would be able to communicate out normally, but folks on the outside would only be able to access resources for which there were explicit exceptions. Anyone else doing this that might give us pointers on what we need to do in advance and what to watch for? Is it problematic for certain types of software – p2p, grid, etc.? Is this, as some of our folks say, too corporate?
Firewalls are notorious for breaking H.323 video and probably SIP video also.
I think any change in policy would be a good time to review if your hardware can implement your policy for things like IPv6 and multicast etc.
This article points out that spending dollars on stateful firewalls might not be the best investment of your security dollars. While the vendor sponsoring the article would say that their firewall is the way to go I personally think the dollars would be better spent installing Host Based Intrusion Prevention Systems, many of which can prevent buffer overflows and therefore many zero day attacks.
http://newsroom.mcafee.com/article_print.cfm?article_id=3538It only takes one machine behind your perimeter firewall to be compromised and then be able to scan all of the computers "behind" your perimeter firewall. It only takes one person to make one wrong click to have a computer compromised and the firewall does not nothing to prevent that compromise while a Host Based Intrusion Prevention System might be able to prevent that compromise. In our environment a large percentage of the computers on our network, perhaps even a majority, leave campus every night and go somewhere beyond the "protection" of a perimeter firewall, and then they come back the next day.
The Jericho forum has some good information. http://www.opengroup.org/jericho/ http://www.opengroup.org/jericho/RSA_BusCase_April2008.ppt http://www.opengroup.org/jericho/presentations.htm http://www.opengroup.org/jericho/Respondingtodp_implementation_SCWC_0812.pdf --- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- Stateful Perimeter Firewall Dean Halter (Oct 13)
- <Possible follow-ups>
- Re: Stateful Perimeter Firewall Matthew Gracie (Oct 13)
- Re: Stateful Perimeter Firewall Gary Dobbins (Oct 13)
- Re: Stateful Perimeter Firewall Greene, Chip (Oct 13)
- Re: Stateful Perimeter Firewall Parker, Ron (Oct 13)
- Re: Stateful Perimeter Firewall Di Fabio, Andrea (Oct 13)
- Re: Stateful Perimeter Firewall Jones, Dan (Oct 13)
- Re: Stateful Perimeter Firewall Joe St Sauver (Oct 13)
- Re: Stateful Perimeter Firewall Matthew Wollenweber (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Bruce Curtis (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Flynn, Gerald (Oct 14)