Educause Security Discussion mailing list archives
FW: Ports/applications permitted for Guest Access
From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Mon, 19 Sep 2011 08:14:56 -0400
Let me state up-front that we are not currently running this nor have we evaluated this yet, but our Sonicwall firewalls will do SSL deep packet inspection (via man-in-the-middle decryption) and apply the same rules to that encrypted traffic that apply to open protocols (blocked sites, blocked protocols, etc). That particular capability is a key factor in our next guest network deployment architecture. I am not sure when our testing period will begin, but for those who are in the process of looking for solutions for this problem, you might try an evaluation of it. And yes, I have seen the remarks about the cost of next-gen firewalls on this list and I agree to a point. You have to make sure that you are not dragging out the hammer to swat the fly. It all depends on your security goals and requirements. In our case (and I think I have mentioned this before on this list), we aggregated several functions into our next-gen firewall that reduced our device count and costs. Not everyone can afford to do this our have an architecture that lends itself to this approach. And no, I don't get any royalties from the sale of Sonicwall equipment, I am just a happy customer. :-) Daniel H. Boyd (94C) Senior Network Architect Network Operations Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!! 2. If unsure, consult rule #1 -----Original Message----- From: Kevin Wilcox [mailto:wilcoxkm () APPSTATE EDU] Sent: Friday, September 16, 2011 5:32 PM Subject: Re: Ports/applications permitted for Guest Access On Sun, Sep 11, 2011 at 1:11 PM, Dave Koontz <dkoontz () mbc edu> wrote:
As you've discovered, port based firewalls are no longer adequate in today's world. Any application can disguise itself as web traffic (http or https), and many "bad" things do.
I'm curious. For those of you with a Palo Alto or Fortinet or any of the other "we can block by protocol" firewalls, do you allow outbound SSH and HTTPS? If so, have you been able to successfully detect and stop someone from connecting to <an otherwise blocked site> or running <some arbitrarily blocked protocol> when they proxy through an SSH tunnel to an off-campus intermediate/Bastion host? If you allow outbound SSL VPNs (I'm thinking specifically of OpenVPN), have you been able to detect connections to blocked sites or usage of a blocked protocol when it goes through the SSL tunnel? kmw -- Kevin Wilcox GPEN, GCIH Network Infrastructure and Control Systems Appalachian State University Email: wilcoxkm () appstate edu Office: 828.262.6259
Current thread:
- Re: Ports/applications permitted for Guest Access, (continued)
- Re: Ports/applications permitted for Guest Access David Gillett (Sep 12)
- Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
- Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 16)
- Re: Ports/applications permitted for Guest Access (deep packet inspection) Barron Hulver (Sep 11)
- Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 16)
- Re: Ports/applications permitted for Guest Access Matthew Gracie (Sep 19)
- Re: Ports/applications permitted for Guest Access Ed Zawacki (Sep 20)
- Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 20)
- Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 19)
- Re: Ports/applications permitted for Guest Access Gioia, Matthew P. (Sep 12)
- FW: Ports/applications permitted for Guest Access Boyd, Daniel (Sep 19)