Educause Security Discussion mailing list archives
Re: Stateful Perimeter Firewall
From: "Flynn, Gerald" <flynngn () JMU EDU>
Date: Wed, 14 Oct 2009 09:17:09 -0400
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean Halter Sent: Tuesday, October 13, 2009 9:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Stateful Perimeter Firewall We are considering setting up our firewalls in a stateful, default deny manner. Our folks would be able to communicate out normally, but folks on the outside would only be able to access resources for which there were explicit exceptions. Anyone else doing this that might give us pointers on what we need to do in advance and what to watch for? Is it problematic for certain types of software – p2p, grid, etc.? Is this, as some of our folks say, too corporate?
Some may argue that desktop management or system access controls and audits are too corporate. :) It depends upon what compromise between risk and convenience/efficiency/functionality you're willing to accept. :) We converted to a TCP default deny policy in November of 2005 using router ACLs. We're getting ready to move policy enforcement from router ACLS to a stateful firewall adding coverage for UDP and other protocols. Traffic analysis prior to the change and communications with those possibly effected are the most important steps to take to ensure a successful and well thought of project. People need to understand you're not denying them access. You're just not exposing everyone when only a small percentage need exposure. Those that need the exposure need just request it. You might find some of these old threads interesting: http://listserv.educause.edu/cgi-bin/wa.exe?S2=SECURITY&q=&s=default+deny&f=&a=&b=
Current thread:
- Re: Stateful Perimeter Firewall, (continued)
- Re: Stateful Perimeter Firewall Gary Dobbins (Oct 13)
- Re: Stateful Perimeter Firewall Greene, Chip (Oct 13)
- Re: Stateful Perimeter Firewall Parker, Ron (Oct 13)
- Re: Stateful Perimeter Firewall Di Fabio, Andrea (Oct 13)
- Re: Stateful Perimeter Firewall Jones, Dan (Oct 13)
- Re: Stateful Perimeter Firewall Joe St Sauver (Oct 13)
- Re: Stateful Perimeter Firewall Matthew Wollenweber (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Bruce Curtis (Oct 13)
- Re: Stateful Perimeter Firewall Cal Frye (Oct 13)
- Re: Stateful Perimeter Firewall Flynn, Gerald (Oct 14)