Re: Stateful Perimeter Firewall

[Matthew Gracie <graciem () CANISIUS EDU>]

Dean Halter wrote:
> We are considering setting up our firewalls in a stateful, default deny
> manner.  Our folks would be able to communicate out normally, but folks
> on the outside would only be able to access resources for which there
> were explicit exceptions.  Anyone else doing this that might give us
> pointers on what we need to do in advance and what to watch for?  Is it
> problematic for certain types of software – p2p, grid, etc.?  Is this,
> as some of our folks say, too corporate?

This is exactly how we have things set up, and it hasn't been a problem.

Two comments:

I would advise is that you have a procedure beforehand for requesting
firewall holes -- and make sure that you keep track of who requests them
and expire periodically. We check every six months to make sure that
holes are still required.

Also, you might want to log firewall traffic for a while before setting
up the default deny, just to get an idea of what systems are being
accessed often from the outside. That will give you a good starting
point for your initial ruleset.

--Matt

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg