Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Firewall Exceptions

From: Kim Cary <Kim.Cary () PEPPERDINE EDU>
Date: Fri, 16 Mar 2007 08:43:41 -0700
On Wed, 2007-03-14 at 16:33 -0500, Greg T. Grimes wrote:

1.  Who manages your firewalls?  Central IT, Department IT?


Central.


2.  Do you you require approval for an exception in a firewall for a
network?


Exceptions are not allowed, but there is a mechanism for
departmental servers.


  a.  If so, who approves?


Information Security


  b.  What is the approval process?


Person wanting exception submits a request via email. They are
redirected to server engineering and web services to use central
resources. If that solution doesn't fit they may sign an agreement
to place the system in an "Internet Server Zone" subnet near their
user net. These subnets are outside our normal 'default deny
inbound' in a 'deny known bad' subnet. Our poster-child for
departmental servers is a system run on a grant which collects
radio data from a buoy in the ocean that is picked up from the
system by researchers at another institution. Why isn't this server
in the datacenter? 1) the grant can't pay the monthly charge and 2)
the datacenter can't accommodate the antenna. Our poster-child for
the redirected exception request is the faculty website; everyone
who has had their own system, proudly, for years, has migrated to
central server because the liability to them on being hacked hasn't
seemed worth the 'vanity' domain name.


  c.  Do you use a form?


Paper form for signatures; data entered into a database (for future
connection to automated Nessus scanner). PI/Administrator and Tech
Contact sign, agreeing to the following for their system in the
"Internet Server Zone": 1) maintain host fw, 2) maintain o/s & app
patches, 3) system must withstand all vulnerability scans without
complaint and 4) if anything looks fishy, InfoSec may block first
and notify later.


3.  What exceptions do you allow or disallow?


Exceptions have an security impact beyond the 'allowed port may be
attacked' angle. They tend to become 'immortal children' that live
on beyond the uses or persons that generated them. As such, they
add to complexity indefinitely and the maintenance/generation of
exceptions distracts from and displaces security analysis. This is
why we don't make exceptions for individual machines, but rather
place the machine in an exception Zone and make the exception
generators accountable.
Previous By Date Next
Previous By Thread Next

Current thread: