Re: Stateful Perimeter Firewall

["Flynn, Gerald" <flynngn () JMU EDU>]

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean Halter
> Sent: Tuesday, October 13, 2009 9:11 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Stateful Perimeter Firewall
>
>
> We are considering setting up our firewalls in a stateful, default deny
> manner.  Our folks would be able to communicate out normally, but folks
> on the outside would only be able to access resources for which there
> were explicit exceptions.  Anyone else doing this that might give us
> pointers on what we need to do in advance and what to watch for?  Is it
> problematic for certain types of software – p2p, grid, etc.?  Is this,
> as some of our folks say, too corporate?

Some may argue that desktop management or system access controls and audits
are too corporate. :) It depends upon what compromise between risk and
convenience/efficiency/functionality you're willing to accept. :)

We converted to a TCP default deny policy in November of 2005 using router 
ACLs. We're getting ready to move policy enforcement from router ACLS
to a stateful firewall adding coverage for UDP and other protocols.

Traffic analysis prior to the change and communications with those possibly
effected are the most important steps to take to ensure a successful and
well thought of project. People need to understand you're not denying
them access. You're just not exposing everyone when only a small percentage
need exposure. Those that need the exposure need just request it.

You might find some of these old threads interesting:

http://listserv.educause.edu/cgi-bin/wa.exe?S2=SECURITY&q=&s=default+deny&f=&a=&b=