Educause Security Discussion mailing list archives
Re: Closed Network Implementation?
From: Willis Marti <wmarti () TAMU EDU>
Date: Fri, 8 Mar 2013 13:34:59 -0600
One should do it at both border and closer to the target. The border FW provides a basic protection for everyone, and guards against new systems put up without your knowledge or sysadmins that make a mistake. Then you can build on that with localized firewalls arounf high value targets. -- Willis Marti Director and CISO Networking and Information Security Texas A&M University ----- Original Message -----
From: "Harry Hoffman" <hhoffman () IP-SOLUTIONS NET> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Friday, March 8, 2013 12:04:00 PM Subject: Re: [SECURITY] Closed Network Implementation? I'm curious as to why people do this at the border? Why not just on smaller network segments? Cheers, Harry On 03/08/2013 12:28 PM, Mike Iglesias wrote:On 03/07/2013 08:19 AM, Thorpe, Glenn wrote:Hello, I work on the Information Security Team at the University of North Texas System. We are currently moving towards a default deny (closed network) design, and I am reaching out to other institutions to see if they have gone though this process and any roadblocks or lessons learned that could be shared with us. I'd appreciate any input you may have or anyone you could point me to that may be able to discuss this further.We did this several years ago. We setup a web page that faculty and staff could use to register systems that needed access from off-campus and what ports needed to be opened (they can also open all ports). We also made lists of systems that had been accessed from off-campus and gave it to the school computing staff so they could contact the faculty/staff that were responsible for the systems, make sure they really needed the access, and make sure they were registered before the cut-over date. We did the cut over in phases, doing part of our address space in each phase (we have 4 /16s networks). This lessened the issues we had to deal with. Registration changes are made to the border firewall at set times during the day (currently 3 times a day, morning, early afternoon, and evening) if anything has changed since the last update.
Current thread:
- Closed Network Implementation? Thorpe, Glenn (Mar 07)
- Re: Closed Network Implementation? Willis Marti (Mar 07)
- Re: Closed Network Implementation? Rick Coloccia (Mar 07)
- Re: Closed Network Implementation? Barron Hulver (Mar 07)
- Re: Closed Network Implementation? Leo Song (Mar 08)
- Re: Closed Network Implementation? Rick Coloccia (Mar 08)
- Re: Closed Network Implementation? Harry Hoffman (Mar 08)
- Re: Closed Network Implementation? Rick Coloccia (Mar 08)
- Re: Closed Network Implementation? Rick Coloccia (Mar 07)
- Re: Closed Network Implementation? Willis Marti (Mar 07)
- Re: Closed Network Implementation? Harry Hoffman (Mar 08)
- Re: Closed Network Implementation? Willis Marti (Mar 08)
- Re: Closed Network Implementation? Mike Iglesias (Mar 08)
- Re: Closed Network Implementation? Michael Sinatra (Mar 08)
- Re: Closed Network Implementation? Mike Iglesias (Mar 08)
- Re: Closed Network Implementation? Michael Sinatra (Mar 08)