Too Many Exceptions in the Firewall

[David Buckley <david () CLEMSON EDU>]

Hello All,



I would like to solicit the input of this list concerning some recent issues
we are having with incoming faculty. We have recently hired some "high
profile" faculty that was sought out by the administration to help compete
on a national level. The problem that we have is the moment the new faculty
members arrive, they begin screaming because their systems under their desks
are not accessible from outside and we are impeding their research. We have
a perimeter firewall that does not except any inbound un-initiated requests.
We attempt to offer centralized services for web hosting, database services,
etc. The problem seems to be that the faculty wants to be able to touch the
systems providing the hosting and be able to show off their quad-core Apple
servers pulsing in their office. They also go right to the top (CIO) and
fuss causing him in turn to ask us to fix it immediately.therefore causing
the firewall exception. Our worry is that this exception will soon be (or
already is) out of hand and faculty will spread the word of these
exceptions. I know that not everyone supports perimeter firewalls but that
has been our best solution for the time being considering man
power/resources. Some questions I have on this are:



How are you dealing with these issues? Do you have a policy that addresses
this?



Do you have SLA's that address this?



How do you reveal the responsibility for the data to the department?



Has anyone delegated firewall exceptions to the discretion of the
department? Does that work well?



What other protections do you have in place to augment the security for the
exceptions?



Also, if anyone has transitioned from perimeter firewalls to a more layered
approach, please describe your migration steps.



Thanks,



David Buckley, CISSP

Security Consultant

Clemson University