Educause Security Discussion mailing list archives
Re: Too Many Exceptions in the Firewall
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 2 Nov 2006 19:57:00 +1300
David, We have had some form of firewalling since we joined the internet back in the late '80s, at that time is was mainly aimed at controlling who could go out (international traffic cost $1US per MB -- NZ's international link was an analog phone line to Hawaii) and a blocks on the standard stuff others have referred to. Over the years we have gone from Cisco acls to TAMU Drawbridge and now we use OBSD's pf. We still have our list of banned ports which includes all the usual suspects and a default deny policy. The firewall is managed via a home grown web app backed by a mysql database (as has been the case since we installed Drawbridge in the early '90s). This app allows departmental IT support staff to configure the firewall for the addresses that they are responsible for (the same app allows configuration of dns, dhcp and other network related stuff). This isn't something that standard firewall management software will do for you :( The default access is for open outbound access (modulo the banned list) which an admins can enable by checking one box and and a pulldown list. This covers over 90% of systems. If they want to make services available then they may do so by checcking additional boxes for common services (ssh, rdp, http(s), imap(s) etc.) or by filling in a text box with something like [tcp-999-in]. For servers we recommend that the access pulldown is set to no access (the default is outbound access) and that just those ports that are really necessary should be open (most servers don't need out bound access! and this has saved some machine that did get compromised because the attacker could not connect out to get their tool kits installed). The key to this system is that the departmental IT support staff are the ones who get so say who gets what and do the actual configuration. They are generally in a much better position to know what a researcher really needs than anyone in central IT and even more importantly they are the ones who get to pick up the pieces if things come unstuck. I am very pleased (and rather proud, since I have either done or overseen its development for over 15 years) at the way this system works for us. It seems to strike the right balance between security of the organisation and freedom for the individual researchers. This system is backed up by extensive monitoring based on argus and snort along with substantial chunks of perl :) and now ruby I have not done any stats recently but last time I looked we had about 7500 systems with access to the internet. About 7000 of those had no inbound access configured. If you then took out http, pop and imap (and 'secure' variants) we are left with about 100 machines. We are currently looking adding unwrapped pop and imap to our inbound block list. We also have a cisco VPN concentrator and an ssh gateway box both use 2fa. (Or can do in the case of the VPN -- general staff get addresses from one pool admins, dbas etc get addresses from another pool which can then get access through various internal firewalls. The latter requires 2fa. I mentioned that we had internal firewalls. Last year we installed an expensive set of FW1 boxes that provided multiple virtual firewalls between VLANS (yes, I'm well aware of the limitations of VLANs as security devices) and we have begun the painful process of migrating servers into their appropriate 'zones'. The big problem here is that the folk who manage the servers do not view this as a high priority task and we (security) can't do it on our own even if we had the time. We do have support from top level management but those same manager also want their fancy new apps delivered on time so production folk go for things that produce visible results and moving things behind firewall isn't it. While I'm on the topic implementing internal firewall I will state (just in case it isn't obvious to everyone) that this is a real PITA. We are a Peoplesoft shop and the whole system really assumes that it sits in a single trusted network. Finding out just how the various modules interact with each other often involves actually monitoring the traffic on the wire since no docs exits. Oracle is a nightmare which, by default, wants to use all high numbered ports and figuring out how many it really needs is non trivial. Cheers, Russell Cheers, Russell
University
Current thread:
- Too Many Exceptions in the Firewall David Buckley (Nov 01)
- <Possible follow-ups>
- Re: Too Many Exceptions in the Firewall Graham Toal (Nov 01)
- Re: Too Many Exceptions in the Firewall Kellogg, Brian D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Jenkins, Matthew (Nov 01)
- Re: Too Many Exceptions in the Firewall Peter Wan (Nov 01)
- Re: Too Many Exceptions in the Firewall HALL, NATHANIEL D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Mark Rogowski (Nov 01)
- Re: Too Many Exceptions in the Firewall Gary Flynn (Nov 01)
- Re: Too Many Exceptions in the Firewall Bob Kehr (Nov 01)
- Re: Too Many Exceptions in the Firewall Randy Marchany (Nov 01)
- Re: Too Many Exceptions in the Firewall Russell Fulton (Nov 01)
- Re: Too Many Exceptions in the Firewall Pufahl, Jason (Nov 08)
- Re: Too Many Exceptions in the Firewall Michael Sinatra (Nov 10)