Re: Closed Network Implementation?

[Mike Iglesias <iglesias () UCI EDU>]

On 03/07/2013 08:19 AM, Thorpe, Glenn wrote:
> Hello,
>   I work on the Information Security Team at the University of North Texas
> System.  We are currently moving towards a default deny (closed network)
> design, and I am reaching out to other institutions to see if they have gone
> though this process and any roadblocks or lessons learned that could be shared
> with us.  I'd appreciate any input you may have or anyone you could point me
> to that may be able to discuss this further.

We did this several years ago.  We setup a web page that faculty and staff
could use to register systems that needed access from off-campus and what
ports needed to be opened (they can also open all ports).  We also made lists
of systems that had been accessed from off-campus and gave it to the school
computing staff so they could contact the faculty/staff that were responsible
for the systems, make sure they really needed the access, and make sure they
were registered before the cut-over date.  We did the cut over in phases,
doing part of our address space in each phase (we have 4 /16s networks).  This
lessened the issues we had to deal with.

Registration changes are made to the border firewall at set times during the
day (currently 3 times a day, morning, early afternoon, and evening) if
anything has changed since the last update.


-- 
Mike Iglesias                          Email:       iglesias () uci edu
University of California, Irvine       phone:       949-824-6926
Office of Information Technology       FAX:         949-824-2270