Educause Security Discussion mailing list archives
Firewall Policy in the Age of NGFW
From: "Hahues, Sven" <shahues () FGCU EDU>
Date: Tue, 2 Jul 2019 12:06:46 +0000
Hi everyone, I wanted to get a feel for what everyone is doing these days. Before moving to our current PAs we used to write firewall rules specifically for TCP/UDP ports. With moving to the PAs we are now running into some philosophical questions as to how to manage this moving forward. I wanted to collect some feedback on the following: * Do you use a default deny for your trusted network to the Internet? * If yes, do you manually add new applications when people call and say an app stopped working after your vendor releases an application signature? * If no, and you allow anything out, why did you make that choice, and how has this been working for you? * Have you converted your entire FW rule base to application aware rules, or are you using a mix? * Are you using the PA feature, where it can automatically allow applications that PA deems low risk? We are currently running a mixed environment, but find ourselves chasing our tail quite a bit when it comes to them adding new applications. Suddenly apps that previously worked under SSL will no longer work, due to the fact that a new application has been created. This can get a bit tricky because we did not know the app was being used and now we have to make a decision on whether it is okay or not. Thanks in advance and any feedback is much appreciated. Sven Sven Hahues Florida Gulf Coast University Tel: (239) 590 1337 E-Mail: shahues () fgcu edu
Current thread:
- Firewall Policy in the Age of NGFW Hahues, Sven (Jul 02)
- Re: Firewall Policy in the Age of NGFW King, Ronald A. (Jul 02)