Re: Stateful Perimeter Firewall

[Cal Frye <cjf () CALFRYE COM>]

Dean Halter wrote:
> We are considering setting up our firewalls in a stateful, default deny
> manner.    Is it
> problematic for certain types of software – p2p, grid, etc.?  Is this,
> as some of our folks say, too corporate?

Hi, Dean,
There have been many good replies to your questions. One very important
feature is having internal firewalls in addition to one at the
perimeter. I'll add just two little features we've done here.

1) Skype permits you to set a hign-number port for inbound connections.
It's a fairly simple matter for Skype users to make this setting in
their preferences, but it does need to be set manually. This will permit
you to close the perimeter without breaking Skype, if you care about
that. I wish more applications had this option.

2) If you permit students to host game servers on your ResNet, you'll
need a small portion of your address space where you can put them with
no firewall protection. "Put all your eggs in one basket, and then watch
that basket." Any unusual activity from these addresses is assumed to be
evidence of a breach until proven otherwise ;-)

Small openings like this have great PR value.

--
Celebrating the 150th anniversary of the publication of the Origin of
Species.
-- Cal Frye, Network Administrator, Oberlin College
   Mudd Library, x.56930 -- CIT will NEVER ask you for your password!

   www.calfrye.com,  www.pitalabs.com

"Why make the same mistake twice, when there are so many new ones
available?"