Re: Appropriate University/Internet blocks

[John Center <john.center () VILLANOVA EDU>]

Hi Tom,

We did something similar here at Villanova as Ariel did at Temple.  We
created a Network Security Policy as the first step.  With the policy,
we did the long march through the various campus IT committees to get
buy-in on the need for an Internet firewall.  Our approach was the same
as Temple's - Deny all inbound except...  We block some outbound
traffic, but largely keep it open.  We tried to anticipate faculty
reaction in constructing the policy & we were successful in getting it
approved with minor changes.

We contacted the various IT coordinators on campus to put together a
list of servers and services that had to have access through the
firewall.  We also monitored the Internet traffic for hosts/ports that
we might have missed.  (It helped that we were testing traffic shapers
earlier.)  When we cutover, we had very few calls.  For awhile however,
every problem people experienced on the network was caused by the
firewall.  Over time, the finger pointing died out.

Now, people know to call the help desk if they need a change to the
firewall.  Most requests are for temporary changes.  We process requests
quickly, questioning the appropriateness of some requests.  Our deny all
stance makes managing the firewall relatively straightforward.

HTH

       -John


John Center
Villanova University



Ariel Silverstone wrote:
> Tom,
>
> At Temple, we approached it very gingerly.  Generally, the following are the
> steps we took:
>
> 1) thought hard about what it is we are really trying to do
> 2) created an application that enabled us to perform step 4 below
> 3) created a "security council" combined of representatives from every
> school and administrative department and solicited their input
> 4) asked the members to use the application to register every server,
> guaranteeing that no server which is registered be effected by a new
> firewall or firewall rule
> 5) created the new rule set
> 6) informed the community that as of a specific date, our rule set - which
> is now set to "Deny All except" rather then "permit all except" will be
> active
> 7) prepared the help desk for influx of calls
> 8) turned on the rule set
> 9) watched as less then 30 calls (out of 55,000 users) came in about this
> issue.
>
>
> Thank you,
>
> Ariel Silverstone, CISSP
> Chief Information Security Officer
> Temple University
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tom Conley
> Sent: Wednesday, June 16, 2004 10:21 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Appropriate University/Internet blocks
>
> This is a hackneyed old question, but one we are still struggling with:
>
> What is the appropriate level of filtering or port blocking at A
> University/Internet border?
>
> Specifically, what ports or packets are y'all (other universities) currently
> blocking?  Do you have router configurations that you can share?
> Do you use an IP blacklist?  Are the "blacklist" and "ports list" permanent
> or do the blocks "time out" automatically?  How do you manage all this?
>
> It seems [obvious] that the recommendations made for other industries are
> not generally accepted at universities.  But what is acceptable?
>
> Any feedback is appreciated.  Feel free to contact me off-list if you
> prefer.
>
> Thanks.
>
> Tom
>
> Tom Conley, CISSP
> Network Security
> Ohio University
> 740.593.2264
> conleyt () ohio edu
> security () ohio edu
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.