Educause Security Discussion mailing list archives
Re: Firewall - Egress Policy
From: Bruce Curtis <bruce.curtis () NDSU EDU>
Date: Tue, 5 Sep 2006 13:10:36 -0500
On Sep 4, 2006, at 10:10 AM, Chris Golden wrote:
I am struggling keeping up with outbound firewall rules pertaining to games and other gaming apps (i.e Ventrillo, Teamspeak, PS2, Xbox live). We have a policy allowing approved gaming ports to be opened after 5pm M-F and all day on the weekends. However, as more and more games come out requiring 4,000+ ports I am starting to think this is pointless. I see the need for filtering out certain ports such as SMTP, SNMP, MS RPC, NetBios, SMB/IP, TFTP, IRC (6000-6999) but it would be easier to create rules for these ports and allow others. What are some of your thoughts/policies on this? Thanks, Chris
We use a quota system in the Residence Halls, as do many other Universities. As a result the students who live in the Residence Halls can play games or use their share of the bandwidth as they wish, but if they exceed their quota then their traffic is throttled. As a result we don't have to worry about ports etc. The presentation below has links to info about quota systems at several other Universities. http://www.greatplains.net/conference/Network-Quotas.ppt We have no firewall at the edge of the network. As a result our network is very reliable and video, multicast etc works well. We are not alone in thinking that with thousands of people leaving campus with laptops and returning the next day a firewall at the perimeter does not provide much protection and that the resources spent on a perimeter firewall would provide better security if applied elsewhere such as Host IPS software like Blink from eEye or Cisco CSA etc on servers. The Jericho Forum has some interesting materials. https://www.opengroup.org/projects/jericho/uploads/40/10862/JF0602.pdf See slide 32 for a list of Jericho Forum members in 2005. http://www.opengroup.org/projects/jericho/uploads/40/7607/Maymtg2005.pdf https://www.opengroup.org/projects/jericho/uploads/40/8381/ JerichoPres_nb050801.pdf http://www.opengroup.org/projects/jericho/documents.tpl? CALLER=index.tpl http://staff.washington.edu/gray/papers/credo.html "Firewalls a dangerous distraction says expert" http://www.techworld.com/security/news/index.cfm?NewsID=3992 http://searchsecurity.techtarget.com/originalContent/ 0,289142,sid14_gci1191993,00.html Two quotes from the article below. "Infosecurity 2006: Security professionals overwhelmingly agreed that network border security is becoming an anachronism" "The debate ended with a vote from the audience of security professionals, who overwhelmingly agreed that responsible security architecture should be based on deperimeterisation." http://news.zdnet.co.uk/internet/0,39020369,39265750,00.htm Mention of Host IPS. http://isc.sans.org/diary.php?date=2005-08-23 --- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- Firewall - Egress Policy Chris Golden (Sep 04)
- <Possible follow-ups>
- Re: Firewall - Egress Policy Gary Flynn (Sep 04)
- Re: Firewall - Egress Policy Cal Frye (Sep 04)
- Re: Firewall - Egress Policy Jack Suess (Sep 04)
- Re: Firewall - Egress Policy Steve Lovaas (Sep 05)
- Re: Firewall - Egress Policy Bruce Curtis (Sep 05)