Re: Questions about Firewall Exceptions

[Gary Flynn <flynngn () JMU EDU>]

Greg T. Grimes wrote:
> I have a few questions about how everyone handles firewall exceptions.  I
> know everyone won't have the same settup as we do, but MSU is looking to
> have a formal authorization process for exceptions.  Thanks in advance.
>
> 1.  Who manages your firewalls?  Central IT, Department IT?

Central IT.


> 2.  Do you you require approval for an exception in a firewall for a
> network?

Yes.


>   a.  If so, who approves?

IT Security Engineering in 99.9% of the cases.
Though its not so much an approval as a sanity
check, tactical risk assessment, and potential
veto in extreme cases. Approval is the default
action.



>   b.  What is the approval process?

We have an Internet default deny policy where campus services
are not exposed to the Internet by default. If a faculty or
staff member wants to expose a service, they make a request and
its granted by default with some occasional advice on
alternatives ( e.g. VPN to remote desktop rather than full
exposure ) and security precautions. If a student makes a
request to have a service exposed, it is only granted if it
is associated with a JMU academic or business need. We get a
handful of such requests a year and at any point in time,
there are usually only one or two student servers exposed.
Most requests are as a result of a misunderstanding about
the needs of a particular service.

If there are access policies inside of campus that need
to be changed, they're dealt with on a case by case
basis. Except for requests associated with access to
sensitive systems and requests associated with IT
provisioning of new services, interior access policy
change requests are very rare.



>   c.  Do you use a form?

Faculty and staff have a web form where Internet exposure
is requested. We had originally planned to automate the
process ( the web application checks our network registration
database to see if the authenticated person is authorized for
the IP address for which exposure is requested ) but the work
load has been so light, we've left it as a manual process.

We do not have a form associated with interior access
policy change requests.



> 3.  What exceptions do you allow or disallow?

Generally, a person wanting to expose a service lets us know
what service they want exposed. When we switched to the
default deny policy, some requested "full exposure". We
implemented the default deny policy access rules below the
previously existing default permit exception rules. So if a
person requests full Internet exposure, by default they don't
really get full exposure. Only to the extent that our previous
policy exposed a system. For example, after "exposure" their
netbios, MS-RPC, sun-rpc, SNMP, database, ldap, and backup
services will still be protected. The requests for exposure
beyond that are very rare and are reviewed on a case by case
basis. I can't think of a case where we've refused to expose
a service. If we have major concerns, we have always been able
to reach consensus about alternatives and/or precautions.

We also have an intrusion prevention device on our Internet
border that I consider part of our "firewall". We have had
only one request for exemption from that protection and that,
logically enough, was for a research project involving
intrusion detection.





--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security