Educause Security Discussion mailing list archives
Re: Too Many Exceptions in the Firewall
From: "Pufahl, Jason" <jason.pufahl () UCONN EDU>
Date: Wed, 8 Nov 2006 15:31:32 -0500
Mark, If you could send me the documentation you put together it would be great. I have suggested this (in combination with our VPN for non-power users) but am having difficulty getting buy in. Thanks, Jason Pufahl, CISSP UConn ITS - Information Security 860-486-3743 Jason.Pufahl () UConn edu
-----Original Message----- From: Mark Rogowski [mailto:m.rogowski () UWINNIPEG CA] Sent: Wednesday, November 01, 2006 12:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Too Many Exceptions in the Firewall Hi David, We ran into this issue awhile back when we migrated ourselves to a switched network and dropped in our perimeter firewall. Rather than making a bunch of exceptions in the firewall list (there's enough of them already) it was decided that these researchers should have their own sandbox to play in. All of the researchers were identified, and their requirements logged. Our network group mapped out and created a subnetwork we loosely referred to as the Research Network". These systems were then
logically
moved to the Research Network where they could play on their own and have whatever service they wished open to campus users. A small Cisco PIX was acquired as an edge firewall and tailored to their needs. The Reseach Network now resides on the 'public' side of the main campus' edge firewall and those users in that network have
the
same priviledges as any other Internet user when accessing campus services. It is made clear to everyone who joins the Research Network what they can and cannot do. The Research Network is governed by a small group
of
"power users" who meet from time to time to resolve issues and make recommendations for improved services. So far, it was worked well for us. If you want more info, PM me and I can shoot some docs your way. Best, Mark Rogowski IT Security Technology Solutions Centre University of Winnipeg Ph: (204) 786-9034David Buckley <david () CLEMSON EDU> 11/01/06 8:24 AM >>>Hello All, I would like to solicit the input of this list concerning some recent issues we are having with incoming faculty. We have recently hired some "high profile" faculty that was sought out by the administration to help compete on a national level. The problem that we have is the moment the new faculty members arrive, they begin screaming because their systems under their desks are not accessible from outside and we are impeding their research. We have a perimeter firewall that does not except any inbound un-initiated requests. We attempt to offer centralized services for web hosting, database services, etc. The problem seems to be that the faculty wants to be able to
touch
the systems providing the hosting and be able to show off their quad-core Apple servers pulsing in their office. They also go right to the top (CIO) and fuss causing him in turn to ask us to fix it immediately.therefore causing the firewall exception. Our worry is that this exception will soon be (or already is) out of hand and faculty will spread the word of these exceptions. I know that not everyone supports perimeter firewalls but that has been our best solution for the time being considering man power/resources. Some questions I have on this are: How are you dealing with these issues? Do you have a policy that addresses this? Do you have SLA's that address this? How do you reveal the responsibility for the data to the department? Has anyone delegated firewall exceptions to the discretion of the department? Does that work well? What other protections do you have in place to augment the security
for
the exceptions? Also, if anyone has transitioned from perimeter firewalls to a more layered approach, please describe your migration steps. Thanks, David Buckley, CISSP Security Consultant Clemson University
Current thread:
- Re: Too Many Exceptions in the Firewall, (continued)
- Re: Too Many Exceptions in the Firewall Graham Toal (Nov 01)
- Re: Too Many Exceptions in the Firewall Kellogg, Brian D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Jenkins, Matthew (Nov 01)
- Re: Too Many Exceptions in the Firewall Peter Wan (Nov 01)
- Re: Too Many Exceptions in the Firewall HALL, NATHANIEL D. (Nov 01)
- Re: Too Many Exceptions in the Firewall Mark Rogowski (Nov 01)
- Re: Too Many Exceptions in the Firewall Gary Flynn (Nov 01)
- Re: Too Many Exceptions in the Firewall Bob Kehr (Nov 01)
- Re: Too Many Exceptions in the Firewall Randy Marchany (Nov 01)
- Re: Too Many Exceptions in the Firewall Russell Fulton (Nov 01)
- Re: Too Many Exceptions in the Firewall Pufahl, Jason (Nov 08)
- Re: Too Many Exceptions in the Firewall Michael Sinatra (Nov 10)