Re: Too Many Exceptions in the Firewall

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

David,

We have had some form of firewalling since we joined the internet back
in the late '80s, at that time is was mainly aimed at controlling who
could go out (international traffic cost $1US per MB -- NZ's
international link was an analog phone line to Hawaii) and a blocks on
the standard stuff others have referred to.  Over the years we have gone
from Cisco acls to TAMU Drawbridge and now we use OBSD's pf.  We still
have our list of banned ports which includes all the usual suspects and
a default deny policy.

The firewall is managed via a home grown web app backed by a mysql
database (as has been the case since we installed Drawbridge in the
early '90s).  This app allows departmental IT support staff to configure
the firewall for the addresses that they are responsible for (the same
app allows configuration of dns, dhcp and other network related stuff).

This isn't something that standard firewall management software will do
for you :(

The default access is for open outbound access (modulo the banned list)
which an admins can enable by checking one box and and a pulldown list.
This covers over 90% of systems.  If they want to make services
available then they may do so by checcking additional boxes for common
services (ssh, rdp, http(s), imap(s) etc.) or by filling in a text box
with something like [tcp-999-in].  For servers we recommend that the
access pulldown is set to no access (the default is outbound access) and
that just those ports that are really necessary should be open (most
servers don't need out bound access! and this has saved some machine
that did get compromised because the attacker could not connect out to
get their tool kits installed).

The key to this system is that the departmental IT support staff are the
ones who get so say who gets what and do the actual configuration.  They
are generally in a much better position to know what a researcher really
needs than anyone in central IT and even more importantly they are the
ones who get to pick up the pieces if things come unstuck.

I am very pleased (and rather proud, since I have either done or
overseen its development for over 15 years) at the way this system works
for us.  It seems to strike the right balance between security of the
organisation and freedom for the individual researchers.  This system is
backed up by extensive monitoring based on argus and snort along with
substantial chunks of perl :) and now ruby

I have not done any stats recently but last time I looked we had about
7500 systems with access to the internet.  About 7000 of those had no
inbound access configured.  If you then took out http, pop and imap (and
'secure' variants) we are left with about 100 machines.  We are
currently looking adding unwrapped pop and imap to our inbound block list.

We also have a cisco VPN concentrator and an ssh gateway box both use
2fa. (Or can do in the case of the VPN -- general staff get addresses
from one pool admins, dbas etc get addresses from another pool which can
then get access through various internal firewalls.  The latter requires
2fa.

I mentioned that we had internal firewalls.  Last year we installed an
expensive set of FW1 boxes that provided multiple virtual firewalls
between VLANS (yes, I'm well aware of the limitations of VLANs as
security devices) and we have begun the painful process of migrating
servers into their appropriate 'zones'.  The big problem here is that
the folk who manage the servers do not view this as a high priority task
and we (security) can't do it on our own even if we had the time.  We do
have support from top level management but those same manager also want
their fancy new apps delivered on time so production folk go for things
that produce visible results and moving things behind firewall isn't it.

While I'm on the topic implementing internal firewall I will state (just
in case it isn't obvious to everyone) that this is a real PITA.  We are
a Peoplesoft shop and the whole system really assumes that it sits in a
single trusted network.  Finding out just how the various modules
interact with each other often involves actually monitoring the traffic
on the wire since no docs exits.  Oracle is a nightmare which, by
default, wants to use all high numbered ports and figuring out how many
it really needs is non trivial.

Cheers, Russell




Cheers, Russell

> University