Educause Security Discussion mailing list archives

Re: Too Many Exceptions in the Firewall

From: Randy Marchany <marchany () VT EDU>
Date: Wed, 1 Nov 2006 14:09:50 -0500

There are already enough exceptions in most firewalls because of vendor
applications. We have a doc that lists the ports that need to be open for
various services like Exchange, LDAP, AD, Banner, etc. Most of these services
should be restricted to campus only but there are some that require external
access. Also, perimeter firewalls are nice but host based firewalls are
critical. Wireless has changed the threat vector and forces us to install host
based defenses. Wireless bypasses the perimeter defenses.

Having said that, the simplest way to deal with faculty who claim that these
restrictions impede their work is:

        1. Have an AUP that states you are responsible for whatever originates
           from their userid, system, etc.
        2. Have the faculty member sign off on this even if it's assumed. At
           the least, record the fact that you notified them of this.
        3. Notify them of the penalties if there is a violation.
        4. Let them go do their thing.

If a problem occurs, record all appropriate information including cost of
recovery. Send the report to the dept head, internal audit, provost, CFO and
whoever else is appropriate. If need be, send them a bill for recovery
services. As a friend of mine would say, "Hang the Scarlett A on them". They
can complain all they want but the fact of the matter is that they cost the
school $$$, bad publicity or worse.

As a security type, I've come to realize that we need to let people do their
work and not interfere with them unless there's a problem. Should we monitor
and have good incident handling? Of course. Should we have good awareness
training for them? Absolutely.

For example, there's the big discussion about banning P2P on campuses. We're a
land-grant school so we have extension agents all over the state. I found out
that some extension people use P2P to xfer videos on extension stuff to their
agents. They actually use P2P for a business purpose. Why should the security
people restrict P2P as a legit business mechanism? If my environment is too
restrictive, my users will find ways to bypass them. Then what?

Enforcing personal responsibility seems to be the best long-term strategy. Too
often we think of short term and wind up in a worse state because of that.
Does this increase the risk of a major attack? Yes, in the short term. In the
long term, no faculty member will want to be identified as the person who cost
the school $$$. In the long term, individual systems will be more secure.

All security is local. People only pay attention when it affect them. If I do
it for them, they won't change their behavior. My goal is to get them to
change their behavior.

        -Randy Marchany
        VA Tech

Current thread:

Too Many Exceptions in the Firewall David Buckley (Nov 01)
- <Possible follow-ups>
- Re: Too Many Exceptions in the Firewall Graham Toal (Nov 01)
- Re: Too Many Exceptions in the Firewall Kellogg, Brian D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Jenkins, Matthew (Nov 01)
- Re: Too Many Exceptions in the Firewall Peter Wan (Nov 01)
- Re: Too Many Exceptions in the Firewall HALL, NATHANIEL D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Mark Rogowski (Nov 01)
- Re: Too Many Exceptions in the Firewall Gary Flynn (Nov 01)
- Re: Too Many Exceptions in the Firewall Bob Kehr (Nov 01)
- Re: Too Many Exceptions in the Firewall Randy Marchany (Nov 01)
- Re: Too Many Exceptions in the Firewall Russell Fulton (Nov 01)
- Re: Too Many Exceptions in the Firewall Pufahl, Jason (Nov 08)
- Re: Too Many Exceptions in the Firewall Michael Sinatra (Nov 10)