Educause Security Discussion mailing list archives
Re: Appropriate University/Internet blocks
From: Eli Dart <dart () NERSC GOV>
Date: Wed, 16 Jun 2004 10:25:20 -0700
In reply to Willis Marti <wmarti () TAMU EDU> :
This is a hackneyed old question, but one we are still struggling with: What is the appropriate level of filtering or port blocking at A University/Internet border?First, I think you want a firewall (we use a stateless packet filter) at the border and not use routers. By default, we block all inbound TCP connections and only "dangerous" UDP ports. Users wishing to offer a service request openings on a per-port basis and must pass a network vulnerability scan. Residence hall occupants are only allowed http. We currently allow telnet, ftp servers on the rest of campus, but are starting to phase those (and any others w/ plaintext passwords) out as allowable. We block outbound only on temporary basis, to combat problems. Except we do block 135 both ways.
I would be _very_ careful about recommending a firewall over router filters without more detailed information on the site's config. We deal constantly with issues surrounding high performance networking through firewalls, and to be honest it doesn't exist in our experience. Yes, you can buy a PIX with GigE interfaces, but you can't do high performance networking through it. If a site is considering using a firewall over router filters, I would ask the following questions: - What do you need that a firewall provides that router filters don't? - Obviously, if your border router is processing acls in CPU, this is potentially crippling performance issue -- compare the cost of a new border router and the firewall you're thinking of buying. - Do you now, or are you ever likely to want to do high performance networking over this connection (this will differentiate commodity and I2 connections for most .edu sites, for example). - Most firewalls are designed to be run "mostly closed." If you're thinking about running it "mostly open" and having it track session state, it will very likely roll over and die as it blows out its state table (we have seen this happen). We have a Juniper border router, and one of the deciding factors in its purchase was its access list processing capabilities. We have seen too many problems with firewalls to trust them with a network that requires performance or special services (IP multicast, anyone?). We have several firewalls in place where they are appropriate for the task at hand, but they don't get to touch the high performance traffic. --eli
-- Cheers, Willis Marti Associate Director for Networking Computing & Information Services Texas A&M University ********** Participation and subscription information for this EDUCAUSE Discussion Group
discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
_bin
Description:
Current thread:
- Appropriate University/Internet blocks Tom Conley (Jun 16)
- <Possible follow-ups>
- Re: Appropriate University/Internet blocks Willis Marti (Jun 16)
- Re: Appropriate University/Internet blocks Ariel Silverstone (Jun 16)
- Re: Appropriate University/Internet blocks Eli Dart (Jun 16)
- Re: Appropriate University/Internet blocks Shawn Kohrman (Jun 16)
- Re: Appropriate University/Internet blocks Willis Marti (Jun 16)
- Re: Appropriate University/Internet blocks John Center (Jun 16)
- Re: Appropriate University/Internet blocks Eric Pancer (Jun 16)
- Re: Appropriate University/Internet blocks Mike Wiseman (Jun 17)
- Re: Appropriate University/Internet blocks Theresa Semmens (Jun 17)
- Re: Appropriate University/Internet blocks Lucas, Bryan (Jun 17)
- Re: Appropriate University/Internet blocks Eric Pancer (Jun 17)
- Re: Appropriate University/Internet blocks Professor George Davida (Jun 17)
- Re: Appropriate University/Internet blocks Angel L Cruz (Jun 17)
(Thread continues...)