Educause Security Discussion mailing list archives

Re: Firewall - Egress Policy

From: Bruce Curtis <bruce.curtis () NDSU EDU>
Date: Tue, 5 Sep 2006 13:10:36 -0500


On Sep 4, 2006, at 10:10 AM, Chris Golden wrote:

I am struggling keeping up with outbound firewall rules pertaining to
games and other gaming apps (i.e Ventrillo, Teamspeak, PS2, Xbox
live).
We have a policy allowing approved gaming ports to be opened after 5pm
M-F and all day on the weekends.  However, as more and more games come
out requiring 4,000+ ports I am starting to think this is
pointless.  I
see the need for filtering out certain ports such as SMTP, SNMP, MS
RPC,
NetBios, SMB/IP, TFTP, IRC (6000-6999) but it would be easier to
create
rules for these ports and allow others.

What are some of your thoughts/policies on this?

Thanks,
Chris



  We use a quota system in the Residence Halls, as do many other
Universities.  As a result the students who live in the Residence
Halls can play games or use their share of the bandwidth as they
wish, but if they exceed their quota then their traffic is throttled.

  As a result we don't have to worry about ports etc.  The
presentation below has links to info about quota systems at several
other  Universities.

  http://www.greatplains.net/conference/Network-Quotas.ppt



  We have no firewall at the edge of the network.  As a result our
network is very reliable and video, multicast etc  works well.   We
are not alone in thinking that with thousands of people leaving
campus with laptops and returning the next day a firewall at the
perimeter does not provide much protection and that the resources
spent on a perimeter firewall would provide better security if
applied elsewhere such as Host IPS software like Blink from eEye or
Cisco CSA etc on servers.

  The Jericho Forum has some interesting materials.


https://www.opengroup.org/projects/jericho/uploads/40/10862/JF0602.pdf

    See slide 32 for a list of Jericho Forum members in 2005.
http://www.opengroup.org/projects/jericho/uploads/40/7607/Maymtg2005.pdf

https://www.opengroup.org/projects/jericho/uploads/40/8381/
JerichoPres_nb050801.pdf

  http://www.opengroup.org/projects/jericho/documents.tpl?
CALLER=index.tpl

 http://staff.washington.edu/gray/papers/credo.html

"Firewalls a dangerous distraction says expert"
http://www.techworld.com/security/news/index.cfm?NewsID=3992

http://searchsecurity.techtarget.com/originalContent/
0,289142,sid14_gci1191993,00.html


Two quotes from the article below.

"Infosecurity 2006: Security professionals overwhelmingly agreed that
network border security is becoming an anachronism"

"The debate ended with a vote from the audience of security
professionals, who overwhelmingly agreed that responsible security
architecture should be based on deperimeterisation."

http://news.zdnet.co.uk/internet/0,39020369,39265750,00.htm

  Mention of Host IPS.

http://isc.sans.org/diary.php?date=2005-08-23


---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University

Current thread:

Firewall - Egress Policy Chris Golden (Sep 04)
- <Possible follow-ups>
- Re: Firewall - Egress Policy Gary Flynn (Sep 04)
- Re: Firewall - Egress Policy Cal Frye (Sep 04)
- Re: Firewall - Egress Policy Jack Suess (Sep 04)
- Re: Firewall - Egress Policy Steve Lovaas (Sep 05)
- Re: Firewall - Egress Policy Bruce Curtis (Sep 05)