Educause Security Discussion mailing list archives

FW: Ports/applications permitted for Guest Access

From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Mon, 19 Sep 2011 08:14:56 -0400

Let me state up-front that we are not currently running this nor have we evaluated this yet, but our Sonicwall 
firewalls will do SSL deep packet inspection (via man-in-the-middle decryption) and apply the same rules to that 
encrypted traffic that apply to open protocols (blocked sites, blocked protocols, etc).  That particular capability is 
a key factor in our next guest network deployment architecture.  I am not sure when our testing period will begin, but 
for those who are in the process of looking for solutions for this problem, you might try an evaluation of it.  

And yes, I have seen the remarks about the cost of next-gen firewalls on this list and I agree to a point.  You have to 
make sure that you are not dragging out the hammer to swat the fly.  It all depends on your security goals and 
requirements.  In our case (and I think I have mentioned this before on this list), we aggregated several functions 
into our next-gen firewall that reduced our device count and costs.  Not everyone can afford to do this our have an 
architecture that lends itself to this approach.

And no, I don't get any royalties from the sale of Sonicwall equipment, I am just a happy customer.  :-)

Daniel H. Boyd (94C)
Senior Network Architect
Network Operations
Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
2. If unsure, consult rule #1

-----Original Message-----
From: Kevin Wilcox [mailto:wilcoxkm () APPSTATE EDU] 
Sent: Friday, September 16, 2011 5:32 PM
Subject: Re: Ports/applications permitted for Guest Access

On Sun, Sep 11, 2011 at 1:11 PM, Dave Koontz <dkoontz () mbc edu> wrote:

As you've discovered, port based firewalls are no longer adequate in 
today's world.  Any application can disguise itself as web traffic 
(http or https), and many "bad" things do.


I'm curious.

For those of you with a Palo Alto or Fortinet or any of the other "we can block by protocol" firewalls, do you allow 
outbound SSH and HTTPS?
If so, have you been able to successfully detect and stop someone from connecting to <an otherwise blocked site> or 
running <some arbitrarily blocked protocol> when they proxy through an SSH tunnel to an off-campus intermediate/Bastion 
host? If you allow outbound SSL VPNs (I'm thinking specifically of OpenVPN), have you been able to detect connections 
to blocked sites or usage of a blocked protocol when it goes through the SSL tunnel?

kmw

--
Kevin Wilcox GPEN, GCIH
Network Infrastructure and Control Systems Appalachian State University
Email: wilcoxkm () appstate edu
Office: 828.262.6259

Current thread:

Re: Ports/applications permitted for Guest Access, (continued)
- - - Re: Ports/applications permitted for Guest Access David Gillett (Sep 12)
    - Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
    - Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 16)
    - Re: Ports/applications permitted for Guest Access (deep packet inspection) Barron Hulver (Sep 11)
- Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 16)
  - Re: Ports/applications permitted for Guest Access Matthew Gracie (Sep 19)
  - Re: Ports/applications permitted for Guest Access Ed Zawacki (Sep 20)
    - Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 20)
- Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 19)
- Re: Ports/applications permitted for Guest Access Gioia, Matthew P. (Sep 12)
- FW: Ports/applications permitted for Guest Access Boyd, Daniel (Sep 19)