Re: Firewall - Egress Policy

[Steve Lovaas <steven.lovaas () COLOSTATE EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We also use PacketShaper to control gaming. Recently we threw up our
hands on keeping track of some of the games - too many ports!

PacketShaper also has a feature through which you can allow individual
flows to reserve a certain amount of network bandwidth, subject to some
arbitrary maximum for a subnet or other division of IPs/users.
Inevitably, we end up oversubscribing in this scenario. It'll be
interesting to see how it plays out. Sure is simpler than playing
whack-a-mole with ports.

Steve Lovaas
Colorado State University

> >  Chris Golden ventured to comment, at 9/4/06 11:10 AM:
> > > I am struggling keeping up with outbound firewall rules pertaining to
> > > games and other gaming apps (i.e Ventrillo, Teamspeak, PS2, Xbox live).
> > > We have a policy allowing approved gaming ports to be opened after 5pm
> > > M-F and all day on the weekends.  However, as more and more games come
> > > out requiring 4,000+ ports I am starting to think this is pointless.  I
> > > see the need for filtering out certain ports such as SMTP, SNMP, MS RPC,
> > > NetBios, SMB/IP, TFTP, IRC (6000-6999) but it would be easier to create
> > > rules for these ports and allow others.
> > >
> > > What are some of your thoughts/policies on this?

- --
==============================================================
Steven Lovaas, MSIA, CISSP
Network & Security Resource Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
==============================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/YSu2E9pSXAHWcsRAjAlAKDOCsWYDLSaulQFSN7SF4rSG3IA+wCfWVwg
vZylbYCdzjWfDLOdaPuMjPk=
=jCNb
-----END PGP SIGNATURE-----