Re: Too Many Exceptions in the Firewall

[Bob Kehr <rskehr () UCDAVIS EDU>]

What are you using for end-point security so that unmanaged outside systems
don't compromise the internal network through the VPN?

Bob Kehr
University of California, Davis

  _____

From: Jenkins, Matthew [mailto:mjenkins7 () FAIRMONTSTATE EDU]
Sent: Wednesday, November 01, 2006 7:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Too Many Exceptions in the Firewall



All faculty/staff that require remote access into boxes here must use a VPN
connection which utilizes two-factor authentication.  We have found in the
past that allowing exceptions cascades into everyone wanting remote access
to boxes on the inside network.  I would recommend placing a policy in
effect that states that all remote access be tunneled through a VPN, whether
it be IPSEC, PPTP, SSH, etc.  Policies can be placed on the VPN to grant
that user access to only their IP addresses on the inside network.  When we
have servers or other devices that departments require multiple external
users to have access to (i.e. public servers, lab demonstration units for
students, etc.) we place them outside the network and require the department
to firewall their equipment.



Matt


Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at  <http://www.fairmontstate.edu/> www.fairmontstate.edu

  _____

From: David Buckley [mailto:david () CLEMSON EDU]
Sent: Wednesday, November 01, 2006 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Too Many Exceptions in the Firewall



Hello All,



I would like to solicit the input of this list concerning some recent issues
we are having with incoming faculty. We have recently hired some "high
profile" faculty that was sought out by the administration to help compete
on a national level. The problem that we have is the moment the new faculty
members arrive, they begin screaming because their systems under their desks
are not accessible from outside and we are impeding their research. We have
a perimeter firewall that does not except any inbound un-initiated requests.
We attempt to offer centralized services for web hosting, database services,
etc. The problem seems to be that the faculty wants to be able to touch the
systems providing the hosting and be able to show off their quad-core Apple
servers pulsing in their office. They also go right to the top (CIO) and
fuss causing him in turn to ask us to fix it immediately.therefore causing
the firewall exception. Our worry is that this exception will soon be (or
already is) out of hand and faculty will spread the word of these
exceptions. I know that not everyone supports perimeter firewalls but that
has been our best solution for the time being considering man
power/resources. Some questions I have on this are:



How are you dealing with these issues? Do you have a policy that addresses
this?



Do you have SLA's that address this?



How do you reveal the responsibility for the data to the department?



Has anyone delegated firewall exceptions to the discretion of the
department? Does that work well?



What other protections do you have in place to augment the security for the
exceptions?



Also, if anyone has transitioned from perimeter firewalls to a more layered
approach, please describe your migration steps.



Thanks,



David Buckley, CISSP

Security Consultant

Clemson University