Re: Too Many Exceptions in the Firewall

["HALL, NATHANIEL D." <halln () OTC EDU>]

We are actually in the process of announcing a new set of networks to
solve a similar problem.  What we have done is create a set of networks
that are located outside of all of our critical firewalls.  One network
is publicly available and the other is not.  They are allowed to manage
the systems and install all of their own software, but they are required
to follow minimum requirements.  For example, they must install approved
anti-virus immediately on all systems, host based IDS on publicly
available systems, and patches must be installed in 7 days for pubic
systems and 14 days for private systems.  We are also being careful and
emphasizing that no internal resources are available.  If you would like
drawings and examples of the policy we are using let me know.

 

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535 

 

________________________________

From: David Buckley [mailto:david () CLEMSON EDU] 
Sent: Wednesday, November 01, 2006 8:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Too Many Exceptions in the Firewall

 

Hello All,

 

I would like to solicit the input of this list concerning some recent
issues we are having with incoming faculty. We have recently hired some
"high profile" faculty that was sought out by the administration to help
compete on a national level. The problem that we have is the moment the
new faculty members arrive, they begin screaming because their systems
under their desks are not accessible from outside and we are impeding
their research. We have a perimeter firewall that does not except any
inbound un-initiated requests. We attempt to offer centralized services
for web hosting, database services, etc... The problem seems to be that
the faculty wants to be able to touch the systems providing the hosting
and be able to show off their quad-core Apple servers pulsing in their
office. They also go right to the top (CIO) and fuss causing him in turn
to ask us to fix it immediately...therefore causing the firewall
exception. Our worry is that this exception will soon be (or already is)
out of hand and faculty will spread the word of these exceptions. I know
that not everyone supports perimeter firewalls but that has been our
best solution for the time being considering man power/resources. Some
questions I have on this are:

 

How are you dealing with these issues? Do you have a policy that
addresses this?

 

Do you have SLA's that address this?

 

How do you reveal the responsibility for the data to the department?

 

Has anyone delegated firewall exceptions to the discretion of the
department? Does that work well?

 

What other protections do you have in place to augment the security for
the exceptions?

 

Also, if anyone has transitioned from perimeter firewalls to a more
layered approach, please describe your migration steps.