Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall - Egress Policy

From: Cal Frye <cjf () CALFRYE COM>
Date: Mon, 4 Sep 2006 16:09:04 -0400
 Chris Golden ventured to comment, at 9/4/06 11:10 AM:

I am struggling keeping up with outbound firewall rules pertaining to
games and other gaming apps (i.e Ventrillo, Teamspeak, PS2, Xbox live).
We have a policy allowing approved gaming ports to be opened after 5pm
M-F and all day on the weekends.  However, as more and more games come
out requiring 4,000+ ports I am starting to think this is pointless.  I
see the need for filtering out certain ports such as SMTP, SNMP, MS RPC,
NetBios, SMB/IP, TFTP, IRC (6000-6999) but it would be easier to create
rules for these ports and allow others.

What are some of your thoughts/policies on this?


I'm with Gary, in that we use our Packetshaper to manage some of this stuff.
Specifically with game applications,
1) You'll get no help from most game developers, who consider you the enemy.
It's remarkably difficult to obtain server IP/port information on many of
these games, etc. They in turn don't understand the shift from default-admit
to default-deny firewall administration ;-)
2) You could just shut all these ports off, if your office location is unknown
to your students and your underwear is flameproof.

Trying to help these many applications work across a bandwidth manager or
firewall nearly requires a stateful and deep-inspection approach to be most
effective. Too bad those boxes are more expensive. For the most part, Oberlin
uses firewalls to protect core services from Internet and student users alike,
and our edge firewall only filters out the most egregious junk. I apologize in
advance for what we let them do to others! (we're improving on our
identification of outbound bad traffic, but don't block much by default)

I think the most important thing we can do is lean on the game developers to
improve their transparency and consistency. Ventrillo is currently driving me
nuts, in that each server seems to use a different random port, making it very
difficult to be kind to them. It's true, if all ventrillo servers worked on a
standard port it would be easier to shut that off, but it would be just as
easy to permit it. Of course, if we all were to become hardnosed about it,
everything would switch to port 80, I suppose ;-)

Good question; I don't believe I have the right answer for this question yet,
myself.

--
-- Cal Frye, Network Administrator, Oberlin College
    www.ouuf.org,  www.calfrye.com,  www.pitalabs.com

"I only speak for myself -- that's enough trouble."
Previous By Date Next
Previous By Thread Next

Current thread: