Re: Stateful Perimeter Firewall

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

We’ve done this with the exception that outbound ports are closed by default and openings have to be requested. 
Outbound port 25 is allowed only via a mail gateway, and internal users have to relay their mail off of the mail-gate. 

 

All P-to-P traffic is dropped at the perimeter. We do not have res halls, so there has not been much pushback in 
support of academic freedom. For those with res halls, even if those have to remain open outbound, it would be 
worthwhile to separate them from the administrative networks. 

 

Administrative networks must have a business justification for port openings. We have a lot of business subnets with 
highly regulated data, and those are managed more like Financial and Healthcare networks. It is important to document 
why a port opening was created, and routinely reassess the justification and need –as those change over time.  

 

We’re forming a security governance team where people can plead their case to have additional ports open. The team will 
review the risk associated with having the port open for general use. This gets IT out of the gatekeeper role and 
redirects network related risk management decisions to the business. 

 

Currently external vendors must come through an SSL VPN, and my roadmap has us moving to Xceedium to manage vendor 
access. This will allow us to provision vendor access to the box they need, and will disallow access to other devices. 
It also restricts the vendor from using their box to gain access to other devices on the internal network. 
http://www.xceedium.com 

 

This is by no means comprehensive – but this is also a very active thread with lots of other good ideas/practices. 

 

Best ‘O luck

 

Dan

 

Dan Jones, CGEIT, CISM

IT Security Manager

University of Massachusetts Medical School

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean 
Halter
Sent: Tuesday, October 13, 2009 9:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Stateful Perimeter Firewall

 


We are considering setting up our firewalls in a stateful, default deny manner.  Our folks would be able to communicate 
out normally, but folks on the outside would only be able to access resources for which there were explicit exceptions. 
 Anyone else doing this that might give us pointers on what we need to do in advance and what to watch for?  Is it 
problematic for certain types of software – p2p, grid, etc.?  Is this, as some of our folks say, too corporate? 

Thanks in advance, 
Dean Halter
IT Risk Management Officer
University of Dayton

"Security is a process, not a product."  Bruce Schneier