Educause Security Discussion mailing list archives

Re: Closed Network Implementation?

From: Willis Marti <wmarti () TAMU EDU>
Date: Fri, 8 Mar 2013 13:34:59 -0600

One should do it at both border and closer to the target. The border FW provides a basic protection for everyone, and 
guards against new systems put up without your knowledge or sysadmins that make a mistake. Then you can build on that 
with localized firewalls arounf high value targets.

-- 
Willis Marti
Director and CISO
Networking and Information Security
Texas A&M University

----- Original Message -----

From: "Harry Hoffman" <hhoffman () IP-SOLUTIONS NET>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Friday, March 8, 2013 12:04:00 PM
Subject: Re: [SECURITY] Closed Network Implementation?

I'm curious as to why people do this at the border?

Why not just on smaller network segments?

Cheers,
Harry

On 03/08/2013 12:28 PM, Mike Iglesias wrote:

On 03/07/2013 08:19 AM, Thorpe, Glenn wrote:

Hello,
  I work on the Information Security Team at the University of
  North Texas
System.  We are currently moving towards a default deny (closed
network)
design, and I am reaching out to other institutions to see if they
have gone
though this process and any roadblocks or lessons learned that
could be shared
with us.  I'd appreciate any input you may have or anyone you
could point me
to that may be able to discuss this further.


We did this several years ago.  We setup a web page that faculty
and staff
could use to register systems that needed access from off-campus
and what
ports needed to be opened (they can also open all ports).  We also
made lists
of systems that had been accessed from off-campus and gave it to
the school
computing staff so they could contact the faculty/staff that were
responsible
for the systems, make sure they really needed the access, and make
sure they
were registered before the cut-over date.  We did the cut over in
phases,
doing part of our address space in each phase (we have 4 /16s
networks).  This
lessened the issues we had to deal with.

Registration changes are made to the border firewall at set times
during the
day (currently 3 times a day, morning, early afternoon, and
evening) if
anything has changed since the last update.

Current thread:

Closed Network Implementation? Thorpe, Glenn (Mar 07)
- Re: Closed Network Implementation? Willis Marti (Mar 07)
  - Re: Closed Network Implementation? Rick Coloccia (Mar 07)
    - Re: Closed Network Implementation? Barron Hulver (Mar 07)
    - Re: Closed Network Implementation? Leo Song (Mar 08)
    - Re: Closed Network Implementation? Rick Coloccia (Mar 08)
    - Re: Closed Network Implementation? Harry Hoffman (Mar 08)
    - Re: Closed Network Implementation? Rick Coloccia (Mar 08)
- Re: Closed Network Implementation? Mike Iglesias (Mar 08)
  - Re: Closed Network Implementation? Harry Hoffman (Mar 08)
    - Re: Closed Network Implementation? Willis Marti (Mar 08)
    - Re: Closed Network Implementation? Mike Iglesias (Mar 08)
    - Re: Closed Network Implementation? Michael Sinatra (Mar 08)
    - Re: Closed Network Implementation? Mike Iglesias (Mar 08)
    - Re: Closed Network Implementation? Michael Sinatra (Mar 08)