Educause Security Discussion mailing list archives
Re: Questions about Firewall Exceptions
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 15 Mar 2007 11:34:49 -0400
Greg T. Grimes wrote:
I have a few questions about how everyone handles firewall exceptions. I know everyone won't have the same settup as we do, but MSU is looking to have a formal authorization process for exceptions. Thanks in advance. 1. Who manages your firewalls? Central IT, Department IT?
Central IT.
2. Do you you require approval for an exception in a firewall for a network?
Yes.
a. If so, who approves?
IT Security Engineering in 99.9% of the cases. Though its not so much an approval as a sanity check, tactical risk assessment, and potential veto in extreme cases. Approval is the default action.
b. What is the approval process?
We have an Internet default deny policy where campus services are not exposed to the Internet by default. If a faculty or staff member wants to expose a service, they make a request and its granted by default with some occasional advice on alternatives ( e.g. VPN to remote desktop rather than full exposure ) and security precautions. If a student makes a request to have a service exposed, it is only granted if it is associated with a JMU academic or business need. We get a handful of such requests a year and at any point in time, there are usually only one or two student servers exposed. Most requests are as a result of a misunderstanding about the needs of a particular service. If there are access policies inside of campus that need to be changed, they're dealt with on a case by case basis. Except for requests associated with access to sensitive systems and requests associated with IT provisioning of new services, interior access policy change requests are very rare.
c. Do you use a form?
Faculty and staff have a web form where Internet exposure is requested. We had originally planned to automate the process ( the web application checks our network registration database to see if the authenticated person is authorized for the IP address for which exposure is requested ) but the work load has been so light, we've left it as a manual process. We do not have a form associated with interior access policy change requests.
3. What exceptions do you allow or disallow?
Generally, a person wanting to expose a service lets us know what service they want exposed. When we switched to the default deny policy, some requested "full exposure". We implemented the default deny policy access rules below the previously existing default permit exception rules. So if a person requests full Internet exposure, by default they don't really get full exposure. Only to the extent that our previous policy exposed a system. For example, after "exposure" their netbios, MS-RPC, sun-rpc, SNMP, database, ldap, and backup services will still be protected. The requests for exposure beyond that are very rare and are reviewed on a case by case basis. I can't think of a case where we've refused to expose a service. If we have major concerns, we have always been able to reach consensus about alternatives and/or precautions. We also have an intrusion prevention device on our Internet border that I consider part of our "firewall". We have had only one request for exemption from that protection and that, logically enough, was for a research project involving intrusion detection. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Questions about Firewall Exceptions Greg T. Grimes (Mar 14)
- <Possible follow-ups>
- Re: Questions about Firewall Exceptions Michael Hornung (Mar 14)
- Re: Questions about Firewall Exceptions Randy Marchany (Mar 14)
- Re: Questions about Firewall Exceptions Matthew Keller (Mar 15)
- Re: Questions about Firewall Exceptions Gary Flynn (Mar 15)
- Re: Questions about Firewall Exceptions Brenda B Gombosky (Mar 15)
- Re: Questions about Firewall Exceptions Greg T. Grimes (Mar 19)