Educause Security Discussion mailing list archives
Re: Firewall Policy in the Age of NGFW
From: "King, Ronald A." <raking () NSU EDU>
Date: Tue, 2 Jul 2019 13:31:39 +0000
* Do you use a default deny for your trusted network to the Internet? -No * If no, and you allow anything out, why did you make that choice, and how has this been working for you? - We have a policies that blocks blacklisted IPs, certain URLs, Wins, MSRPC, DHCP, Malware, TOR, BitTorrent, Proxies, (Non-Enterprise) VPNs and other malicious or should not be on the internet traffic. Then we allow end user devices to the Internet. With so many potential applications that one type of devices uses (such as Apple everything and game consoles), we didn't have the resources to get that granular. Servers are a different story. * Have you converted your entire FW rule base to application aware rules, or are you using a mix? -Most are. We did have challenges with streaming content from Inside to the Internet. So those are old fashioned Port based policies. * Are you using the PA feature, where it can automatically allow applications that PA deems low risk? -Nope. Thanks. I just learned something new. SSL decryption takes some getting used to. Once you decrypt, you now see the app within the tunnel and have to allow it too. Good luck! Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu www.nsu.edu @NSUCISO (Twitter) -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hahues, Sven Sent: Tuesday, July 2, 2019 8:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Firewall Policy in the Age of NGFW Hi everyone, I wanted to get a feel for what everyone is doing these days. Before moving to our current PAs we used to write firewall rules specifically for TCP/UDP ports. With moving to the PAs we are now running into some philosophical questions as to how to manage this moving forward. I wanted to collect some feedback on the following: * Do you use a default deny for your trusted network to the Internet? * If yes, do you manually add new applications when people call and say an app stopped working after your vendor releases an application signature? * If no, and you allow anything out, why did you make that choice, and how has this been working for you? * Have you converted your entire FW rule base to application aware rules, or are you using a mix? * Are you using the PA feature, where it can automatically allow applications that PA deems low risk? We are currently running a mixed environment, but find ourselves chasing our tail quite a bit when it comes to them adding new applications. Suddenly apps that previously worked under SSL will no longer work, due to the fact that a new application has been created. This can get a bit tricky because we did not know the app was being used and now we have to make a decision on whether it is okay or not. Thanks in advance and any feedback is much appreciated. Sven Sven Hahues Florida Gulf Coast University Tel: (239) 590 1337 E-Mail: shahues () fgcu edu
Current thread:
- Firewall Policy in the Age of NGFW Hahues, Sven (Jul 02)
- Re: Firewall Policy in the Age of NGFW King, Ronald A. (Jul 02)