Re: Appropriate University/Internet blocks

[Eli Dart <dart () NERSC GOV>]

In reply to Willis Marti <wmarti () TAMU EDU> :

> > This is a hackneyed old question, but one we are still struggling with:
> >
> > What is the appropriate level of filtering or port blocking at A
> > University/Internet border?
>
> First, I think you want a firewall (we use a stateless packet filter) at
> the border and not use routers. By default, we block all inbound TCP
> connections and only "dangerous" UDP ports.  Users wishing to offer a service
> request openings on a per-port basis and must pass a network vulnerability
> scan. Residence hall occupants are only allowed http. We currently allow
> telnet, ftp servers on the rest of campus, but are starting to phase those
> (and any others w/ plaintext passwords) out as allowable.
> We block outbound only on temporary basis, to combat problems. Except we do
> block 135 both ways.

I would be _very_ careful about recommending a firewall over router
filters without more detailed information on the site's config.  We
deal constantly with issues surrounding high performance networking
through firewalls, and to be honest it doesn't exist in our
experience.  Yes, you can buy a PIX with GigE interfaces, but you
can't do high performance networking through it.

If a site is considering using a firewall over router filters, I
would ask the following questions:
- What do you need that a firewall provides that router filters don't?
- Obviously, if your border router is processing acls in CPU, this is
  potentially crippling performance issue -- compare the cost of a
  new border router and the firewall you're thinking of buying.
- Do you now, or are you ever likely to want to do high performance
  networking over this connection (this will differentiate commodity
  and I2 connections for most .edu sites, for example).
- Most firewalls are designed to be run "mostly closed."  If you're
  thinking about running it "mostly open" and having it track session
  state, it will very likely roll over and die as it blows out its
  state table (we have seen this happen).

We have a Juniper border router, and one of the deciding factors in
its purchase was its access list processing capabilities.  We have
seen too many problems with firewalls to trust them with a network
that requires performance or special services (IP multicast, anyone?).
We have several firewalls in place where they are appropriate for the
task at hand, but they don't get to touch the high performance
traffic.

                --eli


> --
> Cheers,
>  Willis Marti
>  Associate Director for Networking
>  Computing & Information Services
>  Texas A&M University
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group
  discussion list can be found at http://www.educause.edu/cg/.
>



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: _bin
Description: