Re: Closed Network Implementation?

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

Just curiously. How did you know that there wasn't compromised traffic
in those firewall logs that you just continued allowing outbound?

Did you interact with users at all to determine what the business
requirements of the traffic being generated were?

Or are you just talking about servers and not desktop machines?

Cheers,
Harry

On 03/07/2013 11:39 AM, Rick Coloccia wrote:
> On 3/7/2013 11:35 AM, Willis Marti wrote:
> > Glenn,
> >   The key lesson is that with a research university, possibly all
> > higher ed, there is no way to know everything our faculty and staff
> > have cooked up when the rules were less strict. I strongly feel you
> > have to put a device in place without rules to determine what "default
> > deny" would reject, before turning it on.
> +1.
>
> When we moved from open to closed, I put the firewall in a log-all state
> for months before throwing the switch.  I was then able to work out what
> everything was, write appropriate rules, interact with the appropriate
> sysadmins, and make for a very smooth conversion from open to closed.
>
> -Rick