Educause Security Discussion mailing list archives

Re: Stateful Perimeter Firewall

From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 13 Oct 2009 09:25:33 -0400

A couple folks on my team have given this talk at Educause/SPC/MWRC, but in a nutshell we did this change a few years 
ago.

Thanks to lots of up-front planning and closely working with the departments who had externally-facing services, we 
ended up with a short-list of ports still permitted inbound, and the rest are default-denied.  Outbound is not 
restricted except for things like SMTP which is only permitted from approved servers - a common spam-control tactic.

The cutover went as planned, in phases by campus network "region" (usually a building or two).  With no notable 
exceptions, each time a cutover occurred the relevant IT manager would contact us the next day or so asking "well, when 
are you going to throw the switch?"  No one noticed.

So, I'd say we got what we hoped for:  An extra layer of shielding from unsolicited traffic, with no adverse user 
impact and negligible hindrance on deliberate traffic.  Oh, and a huge proportion of inbound traffic was unsolicited 
(like 2/3 IIRC) and is now dropped at the border.

Note that the above was done as a single-border-for-all, and had to be relatively porous while at the same time having 
some impact on non-business (e.g. research) traffic types.  Therefore, we're amidst our next phase which is to zone the 
campus net so that research activities have a different border policy than does administration, students, etc.  Small 
handful of zones covers it, permitting border permeability that best suits the audience in question, rather than 
one-size-fits-all.




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean 
Halter
Sent: Tuesday, October 13, 2009 9:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Stateful Perimeter Firewall


We are considering setting up our firewalls in a stateful, default deny manner.  Our folks would be able to communicate 
out normally, but folks on the outside would only be able to access resources for which there were explicit exceptions. 
 Anyone else doing this that might give us pointers on what we need to do in advance and what to watch for?  Is it 
problematic for certain types of software – p2p, grid, etc.?  Is this, as some of our folks say, too corporate?

Thanks in advance,
Dean Halter
IT Risk Management Officer
University of Dayton

"Security is a process, not a product."  Bruce Schneier

Current thread:

Stateful Perimeter Firewall Dean Halter (Oct 13)
- <Possible follow-ups>
- Re: Stateful Perimeter Firewall Matthew Gracie (Oct 13)
- Re: Stateful Perimeter Firewall Gary Dobbins (Oct 13)
- Re: Stateful Perimeter Firewall Greene, Chip (Oct 13)
- Re: Stateful Perimeter Firewall Parker, Ron (Oct 13)
- Re: Stateful Perimeter Firewall Di Fabio, Andrea (Oct 13)
- Re: Stateful Perimeter Firewall Jones, Dan (Oct 13)
- Re: Stateful Perimeter Firewall Joe St Sauver (Oct 13)
- Re: Stateful Perimeter Firewall Matthew Wollenweber (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Bruce Curtis (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Flynn, Gerald (Oct 14)