Educause Security Discussion mailing list archives

Re: Personal firewall Policies - Tangent to Default Deny

From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Thu, 3 Feb 2005 15:16:40 -0600

James H Moore wrote:

Sometimes other things limit my participation in this list, has there been
discussion,
war stories, or documentation on recommended settings for personal
firewalls?


Generally I'm a bigger fan of hardware dedicated to firewalling (which
is not the same as a hardware firewall), but also like some of the
*BSD-based stuff (PF, in particular, rocks).  Since my personal needs
are somewhat--well, more demanding--than the typical end-user, my
personal stuff tends to be highly customized and extremely uncommon
outside of techie circles.  More importantly, it tends to *NOT* be stuff
like commodity, off-the-shelf stuff you'd find at Compusa, Best Buy,
etc.  However, in another life I looked at the PIX501 (product details
at
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html).
While it's configuration software (PDM) wasn't entirely offensive, I
thought it was a suitable device for protecting a single device or VERY
small network.  It's been a while since I looked at it, but I think its
default settings were something like:

   * allow all inside to outside

   * do NAT on outbound traffic

   * obtain DHCP lease on outside interface

   * run DHCP server on inside interface for internal clients


While I realize that these features are available with cheaper "personal
firewall" products, the PIX501 had the notable advantage of being
compatible with CriscoWorks, making it easier to maintain a number of
these beasts centrally.  Since the University of Minnesota has a fair
amount of Cisco gear, we're looking at using the PIX501 (or something
like it) to protect specialty devices, e.g., lab equipment controllers
(which frequently run Windoze and whose vendors resist or refuse to
patch).  Several people I've discussed this with have thought it might
be possible to build the cost of such protection into things like grant
proposals and the like... which opens the door to yet another tangent:
Anyone else doing that yet?  If so, what success have you had at
incorporating security requirements earlier in the process?


--
Alan Amesbury
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Personal firewall Policies - Tangent to Default Deny James H Moore (Feb 02)
- <Possible follow-ups>
- Re: Personal firewall Policies - Tangent to Default Deny Joe St Sauver (Feb 02)
- Re: Personal firewall Policies - Tangent to Default Deny Alan Amesbury (Feb 03)