Re: Too Many Exceptions in the Firewall

["Jenkins, Matthew" <mjenkins7 () FAIRMONTSTATE EDU>]

All faculty/staff that require remote access into boxes here must use a
VPN connection which utilizes two-factor authentication.  We have found
in the past that allowing exceptions cascades into everyone wanting
remote access to boxes on the inside network.  I would recommend placing
a policy in effect that states that all remote access be tunneled
through a VPN, whether it be IPSEC, PPTP, SSH, etc.  Policies can be
placed on the VPN to grant that user access to only their IP addresses
on the inside network.  When we have servers or other devices that
departments require multiple external users to have access to (i.e.
public servers, lab demonstration units for students, etc.) we place
them outside the network and require the department to firewall their
equipment.

 

Matt


Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>


________________________________

From: David Buckley [mailto:david () CLEMSON EDU] 
Sent: Wednesday, November 01, 2006 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Too Many Exceptions in the Firewall

 

Hello All,

 

I would like to solicit the input of this list concerning some recent
issues we are having with incoming faculty. We have recently hired some
"high profile" faculty that was sought out by the administration to help
compete on a national level. The problem that we have is the moment the
new faculty members arrive, they begin screaming because their systems
under their desks are not accessible from outside and we are impeding
their research. We have a perimeter firewall that does not except any
inbound un-initiated requests. We attempt to offer centralized services
for web hosting, database services, etc... The problem seems to be that
the faculty wants to be able to touch the systems providing the hosting
and be able to show off their quad-core Apple servers pulsing in their
office. They also go right to the top (CIO) and fuss causing him in turn
to ask us to fix it immediately...therefore causing the firewall
exception. Our worry is that this exception will soon be (or already is)
out of hand and faculty will spread the word of these exceptions. I know
that not everyone supports perimeter firewalls but that has been our
best solution for the time being considering man power/resources. Some
questions I have on this are:

 

How are you dealing with these issues? Do you have a policy that
addresses this?

 

Do you have SLA's that address this?

 

How do you reveal the responsibility for the data to the department?

 

Has anyone delegated firewall exceptions to the discretion of the
department? Does that work well?

 

What other protections do you have in place to augment the security for
the exceptions?

 

Also, if anyone has transitioned from perimeter firewalls to a more
layered approach, please describe your migration steps.

 

Thanks,

 

David Buckley, CISSP

Security Consultant

Clemson University