Re: Stateful Perimeter Firewall

["Greene, Chip" <cgreene2 () RICHMOND EDU>]

We are set up in this way and have had little issues.  The main problem we encountered was with the groups that allowed 
vendor access to manage their servers with PCAnywhere or ssh.  Obviously these would break as the inbound connections 
would not be permitted.  Two ways to mitigate this is to ensure the specific inbound rules are present in the firewall, 
or force all vendors to have a VPN connection.  We use the vendor vpn option with specific firewalls on the VPN that 
allow access only to the servers they have permissions on.  More administration with this option, but well worth the 
security advantages.

and document all connections....

Chip Greene
Senior Network Specialist
University of Richmond


________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean Halter 
[Dean.Halter () NOTES UDAYTON EDU]
Sent: Tuesday, October 13, 2009 9:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Stateful Perimeter Firewall


We are considering setting up our firewalls in a stateful, default deny manner.  Our folks would be able to communicate 
out normally, but folks on the outside would only be able to access resources for which there were explicit exceptions. 
 Anyone else doing this that might give us pointers on what we need to do in advance and what to watch for?  Is it 
problematic for certain types of software – p2p, grid, etc.?  Is this, as some of our folks say, too corporate?

Thanks in advance,
Dean Halter
IT Risk Management Officer
University of Dayton

"Security is a process, not a product."  Bruce Schneier