Re: Firewall - Egress Policy

[Jack Suess <jack () UMBC EDU>]

What we did for game ports (and SMTP beyond our campus) in resnet is set up
a separate VPN concentrator for resnet students that bypassed the firewall
rules. Essentially this provided them a tunnel through resnet and the campus
network security that they can use for games. We tell students if we find
them with security violations we will disable their use of the VPN. We use
our IDS to monitor the traffic for security violations and have a session
timeout of 8 or 9 hours so they can't stay logged in for the semester.

In general it allowed us to provide a way out for those that really wanted
to use it. In addition, it was more standard and less work than trying to
figure out what the games required open (which I agree is rediculous). We
didn't actively promote this and basically used it to respond to kids
complaining that they spent $$ on a game subscription or needed to
communicate with an outside SMTP server for work.



jack




On 9/4/06 4:09 PM, "Cal Frye" <cjf () CALFRYE COM> wrote:

>  Chris Golden ventured to comment, at 9/4/06 11:10 AM:
> > I am struggling keeping up with outbound firewall rules pertaining to
> > games and other gaming apps (i.e Ventrillo, Teamspeak, PS2, Xbox live).
> > We have a policy allowing approved gaming ports to be opened after 5pm
> > M-F and all day on the weekends.  However, as more and more games come
> > out requiring 4,000+ ports I am starting to think this is pointless.  I
> > see the need for filtering out certain ports such as SMTP, SNMP, MS RPC,
> > NetBios, SMB/IP, TFTP, IRC (6000-6999) but it would be easier to create
> > rules for these ports and allow others.
> >
> > What are some of your thoughts/policies on this?
>
> I'm with Gary, in that we use our Packetshaper to manage some of this stuff.
> Specifically with game applications,
> 1) You'll get no help from most game developers, who consider you the enemy.
> It's remarkably difficult to obtain server IP/port information on many of
> these games, etc. They in turn don't understand the shift from default-admit
> to default-deny firewall administration ;-)
> 2) You could just shut all these ports off, if your office location is unknown
> to your students and your underwear is flameproof.
>
> Trying to help these many applications work across a bandwidth manager or
> firewall nearly requires a stateful and deep-inspection approach to be most
> effective. Too bad those boxes are more expensive. For the most part, Oberlin
> uses firewalls to protect core services from Internet and student users alike,
> and our edge firewall only filters out the most egregious junk. I apologize in
> advance for what we let them do to others! (we're improving on our
> identification of outbound bad traffic, but don't block much by default)
>
> I think the most important thing we can do is lean on the game developers to
> improve their transparency and consistency. Ventrillo is currently driving me
> nuts, in that each server seems to use a different random port, making it very
> difficult to be kind to them. It's true, if all ventrillo servers worked on a
> standard port it would be easier to shut that off, but it would be just as
> easy to permit it. Of course, if we all were to become hardnosed about it,
> everything would switch to port 80, I suppose ;-)
>
> Good question; I don't believe I have the right answer for this question yet,
> myself.