Re: Too Many Exceptions in the Firewall

["Kellogg, Brian D." <bkellogg () SBU EDU>]

Unfortunately you have two things going against you:

1. This looks to be a political problem.
2. You don't have the backing of your management.

Both are hard to overcome.

Perimeter firewalls still have their place, but they are not the end
all.  

I would do the following things:

1. If you don't have a written policy that addresses these issues start
one and have management sign off on it.  Not sure how much clout that
would give you in the future, but at least its something in writing.

2. Offer other solutions; like VPN both client and clientless.  They
cost money, but I believe they would view their research as important
and want to protect it.

3. I would not allow firewall management by anyone outside of your
department.  Just my opinion...

4. I would also segregate the machines that are required to have outside
access to their own VLAN and treat them as a DMZ as much as possible
using VLAN ACLs.  Or better yet firewall their networks if possible.


My thoughts on this,

Brian



________________________________________
From: David Buckley [mailto:david () CLEMSON EDU] 
Sent: Wednesday, November 01, 2006 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Too Many Exceptions in the Firewall

Hello All,

I would like to solicit the input of this list concerning some recent
issues we are having with incoming faculty. We have recently hired some
"high profile" faculty that was sought out by the administration to help
compete on a national level. The problem that we have is the moment the
new faculty members arrive, they begin screaming because their systems
under their desks are not accessible from outside and we are impeding
their research. We have a perimeter firewall that does not except any
inbound un-initiated requests. We attempt to offer centralized services
for web hosting, database services, etc... The problem seems to be that
the faculty wants to be able to touch the systems providing the hosting
and be able to show off their quad-core Apple servers pulsing in their
office. They also go right to the top (CIO) and fuss causing him in turn
to ask us to fix it immediately...therefore causing the firewall
exception. Our worry is that this exception will soon be (or already is)
out of hand and faculty will spread the word of these exceptions. I know
that not everyone supports perimeter firewalls but that has been our
best solution for the time being considering man power/resources. Some
questions I have on this are:

How are you dealing with these issues? Do you have a policy that
addresses this?

Do you have SLA's that address this?

How do you reveal the responsibility for the data to the department?

Has anyone delegated firewall exceptions to the discretion of the
department? Does that work well?

What other protections do you have in place to augment the security for
the exceptions?

Also, if anyone has transitioned from perimeter firewalls to a more
layered approach, please describe your migration steps.

Thanks,

David Buckley, CISSP
Security Consultant
Clemson University

 
 
Thank you,
 
Brian Kellogg
Network Services Manager
St. Bonaventure University
716-375-4092