Educause Security Discussion mailing list archives
Re: Too Many Exceptions in the Firewall
From: Randy Marchany <marchany () VT EDU>
Date: Wed, 1 Nov 2006 14:09:50 -0500
There are already enough exceptions in most firewalls because of vendor applications. We have a doc that lists the ports that need to be open for various services like Exchange, LDAP, AD, Banner, etc. Most of these services should be restricted to campus only but there are some that require external access. Also, perimeter firewalls are nice but host based firewalls are critical. Wireless has changed the threat vector and forces us to install host based defenses. Wireless bypasses the perimeter defenses. Having said that, the simplest way to deal with faculty who claim that these restrictions impede their work is: 1. Have an AUP that states you are responsible for whatever originates from their userid, system, etc. 2. Have the faculty member sign off on this even if it's assumed. At the least, record the fact that you notified them of this. 3. Notify them of the penalties if there is a violation. 4. Let them go do their thing. If a problem occurs, record all appropriate information including cost of recovery. Send the report to the dept head, internal audit, provost, CFO and whoever else is appropriate. If need be, send them a bill for recovery services. As a friend of mine would say, "Hang the Scarlett A on them". They can complain all they want but the fact of the matter is that they cost the school $$$, bad publicity or worse. As a security type, I've come to realize that we need to let people do their work and not interfere with them unless there's a problem. Should we monitor and have good incident handling? Of course. Should we have good awareness training for them? Absolutely. For example, there's the big discussion about banning P2P on campuses. We're a land-grant school so we have extension agents all over the state. I found out that some extension people use P2P to xfer videos on extension stuff to their agents. They actually use P2P for a business purpose. Why should the security people restrict P2P as a legit business mechanism? If my environment is too restrictive, my users will find ways to bypass them. Then what? Enforcing personal responsibility seems to be the best long-term strategy. Too often we think of short term and wind up in a worse state because of that. Does this increase the risk of a major attack? Yes, in the short term. In the long term, no faculty member will want to be identified as the person who cost the school $$$. In the long term, individual systems will be more secure. All security is local. People only pay attention when it affect them. If I do it for them, they won't change their behavior. My goal is to get them to change their behavior. -Randy Marchany VA Tech
Current thread:
- Too Many Exceptions in the Firewall David Buckley (Nov 01)
- <Possible follow-ups>
- Re: Too Many Exceptions in the Firewall Graham Toal (Nov 01)
- Re: Too Many Exceptions in the Firewall Kellogg, Brian D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Jenkins, Matthew (Nov 01)
- Re: Too Many Exceptions in the Firewall Peter Wan (Nov 01)
- Re: Too Many Exceptions in the Firewall HALL, NATHANIEL D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Mark Rogowski (Nov 01)
- Re: Too Many Exceptions in the Firewall Gary Flynn (Nov 01)
- Re: Too Many Exceptions in the Firewall Bob Kehr (Nov 01)
- Re: Too Many Exceptions in the Firewall Randy Marchany (Nov 01)
- Re: Too Many Exceptions in the Firewall Russell Fulton (Nov 01)
- Re: Too Many Exceptions in the Firewall Pufahl, Jason (Nov 08)
- Re: Too Many Exceptions in the Firewall Michael Sinatra (Nov 10)