Re: Too Many Exceptions in the Firewall

["Pufahl, Jason" <jason.pufahl () UCONN EDU>]

Mark,

If you could send me the documentation you put together it would be
great.  I have suggested this (in combination with our VPN for non-power
users) but am having difficulty getting buy in.


Thanks,

Jason Pufahl, CISSP
UConn ITS - Information Security
860-486-3743
Jason.Pufahl () UConn edu


> -----Original Message-----
> From: Mark Rogowski [mailto:m.rogowski () UWINNIPEG CA]
> Sent: Wednesday, November 01, 2006 12:03 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Too Many Exceptions in the Firewall
>
> Hi David,
>
> We ran into this issue awhile back when we migrated ourselves to a
> switched network and dropped in our perimeter firewall.  Rather than
> making a bunch of exceptions in the firewall list (there's enough of
> them already) it was decided that these researchers should have their
> own sandbox to play in.
>
> All of the researchers were identified, and their requirements logged.
> Our network group mapped out and created a subnetwork we loosely
> referred to as the Research Network".  These systems were then
logically
> moved to the Research Network where they could play on their own and
> have whatever service they wished open to campus users.
>
> A small Cisco PIX was acquired as an edge firewall and tailored to
> their needs.  The Reseach Network now resides on the 'public' side of
> the main campus' edge firewall and those users in that network have
the
> same priviledges as any other Internet user when accessing campus
> services.
>
> It is made clear to everyone who joins the Research Network what they
> can and cannot do.  The Research Network is governed by a small group
of
> "power users" who meet from time to time to resolve issues and make
> recommendations for improved services.
>
> So far, it was worked well for us.
>
> If you want more info, PM me and I can shoot some docs your way.
>
> Best,
>
>
> Mark Rogowski
> IT Security
> Technology Solutions Centre
> University of Winnipeg
> Ph: (204) 786-9034
>
> > > > David Buckley <david () CLEMSON EDU> 11/01/06 8:24 AM >>>
> Hello All,
>
>
>
> I would like to solicit the input of this list concerning some recent
> issues
> we are having with incoming faculty. We have recently hired some "high
> profile" faculty that was sought out by the administration to help
> compete
> on a national level. The problem that we have is the moment the new
> faculty
> members arrive, they begin screaming because their systems under their
> desks
> are not accessible from outside and we are impeding their research. We
> have
> a perimeter firewall that does not except any inbound un-initiated
> requests.
> We attempt to offer centralized services for web hosting, database
> services,
> etc. The problem seems to be that the faculty wants to be able to
touch
> the
> systems providing the hosting and be able to show off their quad-core
> Apple
> servers pulsing in their office. They also go right to the top (CIO)
> and
> fuss causing him in turn to ask us to fix it immediately.therefore
> causing
> the firewall exception. Our worry is that this exception will soon be
> (or
> already is) out of hand and faculty will spread the word of these
> exceptions. I know that not everyone supports perimeter firewalls but
> that
> has been our best solution for the time being considering man
> power/resources. Some questions I have on this are:
>
>
>
> How are you dealing with these issues? Do you have a policy that
> addresses
> this?
>
>
>
> Do you have SLA's that address this?
>
>
>
> How do you reveal the responsibility for the data to the department?
>
>
>
> Has anyone delegated firewall exceptions to the discretion of the
> department? Does that work well?
>
>
>
> What other protections do you have in place to augment the security
for
> the
> exceptions?
>
>
>
> Also, if anyone has transitioned from perimeter firewalls to a more
> layered
> approach, please describe your migration steps.
>
>
>
> Thanks,
>
>
>
> David Buckley, CISSP
>
> Security Consultant
>
> Clemson University