Educause Security Discussion mailing list archives
Re: Too Many Exceptions in the Firewall
From: "Kellogg, Brian D." <bkellogg () SBU EDU>
Date: Wed, 1 Nov 2006 10:17:04 -0500
Unfortunately you have two things going against you: 1. This looks to be a political problem. 2. You don't have the backing of your management. Both are hard to overcome. Perimeter firewalls still have their place, but they are not the end all. I would do the following things: 1. If you don't have a written policy that addresses these issues start one and have management sign off on it. Not sure how much clout that would give you in the future, but at least its something in writing. 2. Offer other solutions; like VPN both client and clientless. They cost money, but I believe they would view their research as important and want to protect it. 3. I would not allow firewall management by anyone outside of your department. Just my opinion... 4. I would also segregate the machines that are required to have outside access to their own VLAN and treat them as a DMZ as much as possible using VLAN ACLs. Or better yet firewall their networks if possible. My thoughts on this, Brian ________________________________________ From: David Buckley [mailto:david () CLEMSON EDU] Sent: Wednesday, November 01, 2006 9:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Too Many Exceptions in the Firewall Hello All, I would like to solicit the input of this list concerning some recent issues we are having with incoming faculty. We have recently hired some "high profile" faculty that was sought out by the administration to help compete on a national level. The problem that we have is the moment the new faculty members arrive, they begin screaming because their systems under their desks are not accessible from outside and we are impeding their research. We have a perimeter firewall that does not except any inbound un-initiated requests. We attempt to offer centralized services for web hosting, database services, etc... The problem seems to be that the faculty wants to be able to touch the systems providing the hosting and be able to show off their quad-core Apple servers pulsing in their office. They also go right to the top (CIO) and fuss causing him in turn to ask us to fix it immediately...therefore causing the firewall exception. Our worry is that this exception will soon be (or already is) out of hand and faculty will spread the word of these exceptions. I know that not everyone supports perimeter firewalls but that has been our best solution for the time being considering man power/resources. Some questions I have on this are: How are you dealing with these issues? Do you have a policy that addresses this? Do you have SLA's that address this? How do you reveal the responsibility for the data to the department? Has anyone delegated firewall exceptions to the discretion of the department? Does that work well? What other protections do you have in place to augment the security for the exceptions? Also, if anyone has transitioned from perimeter firewalls to a more layered approach, please describe your migration steps. Thanks, David Buckley, CISSP Security Consultant Clemson University Thank you, Brian Kellogg Network Services Manager St. Bonaventure University 716-375-4092
Current thread:
- Too Many Exceptions in the Firewall David Buckley (Nov 01)
- <Possible follow-ups>
- Re: Too Many Exceptions in the Firewall Graham Toal (Nov 01)
- Re: Too Many Exceptions in the Firewall Kellogg, Brian D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Jenkins, Matthew (Nov 01)
- Re: Too Many Exceptions in the Firewall Peter Wan (Nov 01)
- Re: Too Many Exceptions in the Firewall HALL, NATHANIEL D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Mark Rogowski (Nov 01)
- Re: Too Many Exceptions in the Firewall Gary Flynn (Nov 01)
- Re: Too Many Exceptions in the Firewall Bob Kehr (Nov 01)
- Re: Too Many Exceptions in the Firewall Randy Marchany (Nov 01)
- Re: Too Many Exceptions in the Firewall Russell Fulton (Nov 01)
- Re: Too Many Exceptions in the Firewall Pufahl, Jason (Nov 08)
- Re: Too Many Exceptions in the Firewall Michael Sinatra (Nov 10)