I'm in an environment where academic and other concerns have
resulted (thus far) in a policy that encourages full Internet
access.
With a large population of student computers and the growing
out-of-the-box enabling of services on all desktop operating
systems, full Internet access means a substantial amount of risk
to "unadministered" or mistakenly configured boxes.
So I'm between a rock and a hard place :)
My solution to this is a "user configured firewall". Now I know the
purists out there will scoff but hear me out. Its better than nothing.
Lets say our default policy is to operate a network with permissive
access controls to the Internet. Those rules cannot be softened or
changed by anyone other than an administrator (assuming its implemented
correctly :)
Then say we lock everything down except for the traditional incoming web
and email and outgoing tcp. Perhaps 50 internal machines want to be web
servers and open the firewall up for that service. Maybe a couple hundred
student machines open up holes for God knows what. But that means thousands
of machines whose owners don't want to run servers but may be doing so my
mistake have been protected from direct access from the Internet. Adding an
automated vulnerability scan to any "hole opening" request would further
improve the situation. All with very little administrative overhead and
fairly light impact on end user accessibility.
The bug in the ointment is this: Can any router or firewall support
20,000 or so ACLs or rule sets?
I may be able to use various address consolidation mechanisms to reduce
the rulesets at the cost of security and I may have to be satisfied with
fairly coarse access controls but I'd still end up with lots of rules with
a user population approaching 15,000.
How about it? Anyone tried doing this or have an figures?
User Controlled Firewalls:
http://www.jmu.edu/info-security/engineering/proj/fw/personal.htm
Vulnerability Assessment System
http://www.jmu.edu/info-security/engineering/proj/idr/cvas.htm
thanks,
Gary Flynn
Security Engineer
James Madison University
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
