Re: Too Many Exceptions in the Firewall

[Peter Wan <peter.n.wan () GMAIL COM>]

On 11/1/06, David Buckley <david () clemson edu> wrote:
> Hello All,
>
> I would like to solicit the input of this list concerning some recent issues
> we are having with incoming faculty. We have recently hired some "high
> profile" faculty that was sought out by the administration to help compete
> on a national level. The problem that we have is the moment the new faculty
> members arrive, they begin screaming because their systems under their desks
> are not accessible from outside and we are impeding their research. We have
> a perimeter firewall that does not except any inbound un-initiated requests.
> We attempt to offer centralized services for web hosting, database services,
> etc… The problem seems to be that the faculty wants to be able to touch the
> systems providing the hosting and be able to show off their quad-core Apple
> servers pulsing in their office. They also go right to the top (CIO) and
> fuss causing him in turn to ask us to fix it immediately…therefore causing
> the firewall exception. Our worry is that this exception will soon be (or
> already is) out of hand and faculty will spread the word of these
> exceptions. I know that not everyone supports perimeter firewalls but that
> has been our best solution for the time being considering man
> power/resources. Some questions I have on this are:

Hello David, I am the Firewall Services Manager at Georgia Institute of
Technology.  We use a few ACLs on our border gateway routers, and then
have Pix firewalls in front of over 130 subnets for the 3.5 class B address
ranges that we own.  The ACLs at the border kill things like file sharing,
TFTP, SNMP, and other services which should not be crossing our border.
The Pix firewalls are virtual instances on Firewall Service Modules that
plug into our router/switch chassis.  These Pix firewalls are configured in
"default deny" mode, similar to the way you have yours configured.

> How are you dealing with these issues? Do you have a policy that addresses
> this?

We have a Change Request Process that a designated representative
(or representatives) from the department/unit can use to generate a
Remedy ticket to make a change request.  I review the request for
compliance to our Computing/Networking Usage/Security Policy.  I also
request further information (Nessus or other vulnerability scan on the
system(s) in question to verity that the requested port doesn't have
exploitable bugs or configuration errors for the service) and if the request
has an acceptable risk, I send the ticket to the firewall team for
implementation (I am the Senior Information Security Engineer in the
security group, and there is a separate network group which has control
of the firewalls and other network devices).

> Do you have SLA's that address this?

Our agreement is that we will handle requests within 72 hours if possible.
Sometimes it is not possible (such as when systems are found to be
not up-to-date on patches, etc.).  Subject to our vulnerability scan, we
open ports that are reasonable for the unit to conduct business; we try
to encourage them to use VPNs or have one SSH server through which
all their unit's traffic can traverse, but sometimes the unit has different
servers for different service classes or internal units so we deal with those
on a case-by-case basis.

> How do you reveal the responsibility for the data to the department?

Not sure what you mean by this.

> Has anyone delegated firewall exceptions to the discretion of the
> department? Does that work well?

We have only a limited number of departments who have been delegated
control of their routers and firewalls; most other departments go through the
chnage process I described to effect changes in their firewall policies.

> What other protections do you have in place to augment the security for the
> exceptions?

We scan our entire address range twice a year with vulnerability scanners,
and we scan hosts that are the subject of change requests to look for issues
in the ports being requested.

> Also, if anyone has transitioned from perimeter firewalls to a more layered
> approach, please describe your migration steps.

We never had a perimeter firewall, only ACLs on the border router.  Those are
still in place to protect the unfirewalled parts of campus.

Peter Wan
Senior Information Security Engineer
Georgia Institute of Technology
Atlanta, Georgia 30332-0700
peter.wan () oit gatech edu

> Thanks,
>
>
>
> David Buckley, CISSP
>
> Security Consultant
>
> Clemson University


--
Peter Wan <peter.n.wan () gmail com>