Educause Security Discussion mailing list archives
Re: Firewall - Egress Policy
From: Cal Frye <cjf () CALFRYE COM>
Date: Mon, 4 Sep 2006 16:09:04 -0400
Chris Golden ventured to comment, at 9/4/06 11:10 AM:
I am struggling keeping up with outbound firewall rules pertaining to games and other gaming apps (i.e Ventrillo, Teamspeak, PS2, Xbox live). We have a policy allowing approved gaming ports to be opened after 5pm M-F and all day on the weekends. However, as more and more games come out requiring 4,000+ ports I am starting to think this is pointless. I see the need for filtering out certain ports such as SMTP, SNMP, MS RPC, NetBios, SMB/IP, TFTP, IRC (6000-6999) but it would be easier to create rules for these ports and allow others. What are some of your thoughts/policies on this?
I'm with Gary, in that we use our Packetshaper to manage some of this stuff. Specifically with game applications, 1) You'll get no help from most game developers, who consider you the enemy. It's remarkably difficult to obtain server IP/port information on many of these games, etc. They in turn don't understand the shift from default-admit to default-deny firewall administration ;-) 2) You could just shut all these ports off, if your office location is unknown to your students and your underwear is flameproof. Trying to help these many applications work across a bandwidth manager or firewall nearly requires a stateful and deep-inspection approach to be most effective. Too bad those boxes are more expensive. For the most part, Oberlin uses firewalls to protect core services from Internet and student users alike, and our edge firewall only filters out the most egregious junk. I apologize in advance for what we let them do to others! (we're improving on our identification of outbound bad traffic, but don't block much by default) I think the most important thing we can do is lean on the game developers to improve their transparency and consistency. Ventrillo is currently driving me nuts, in that each server seems to use a different random port, making it very difficult to be kind to them. It's true, if all ventrillo servers worked on a standard port it would be easier to shut that off, but it would be just as easy to permit it. Of course, if we all were to become hardnosed about it, everything would switch to port 80, I suppose ;-) Good question; I don't believe I have the right answer for this question yet, myself. -- -- Cal Frye, Network Administrator, Oberlin College www.ouuf.org, www.calfrye.com, www.pitalabs.com "I only speak for myself -- that's enough trouble."
Current thread:
- Firewall - Egress Policy Chris Golden (Sep 04)
- <Possible follow-ups>
- Re: Firewall - Egress Policy Gary Flynn (Sep 04)
- Re: Firewall - Egress Policy Cal Frye (Sep 04)
- Re: Firewall - Egress Policy Jack Suess (Sep 04)
- Re: Firewall - Egress Policy Steve Lovaas (Sep 05)
- Re: Firewall - Egress Policy Bruce Curtis (Sep 05)