The closest I know to what you are looking for is the Drawbridge
firewall that is developed and used by Texas A&M University.
They have to deal with a similar situation. They however have
a stronger policy for opening up services than what it sounds
like you are after.
See: http://drawbridge.tamu.edu/
I'd also seriously look at their policies as they make allot of
sense. The one I like the most is that a machine must meet a
specific level of trustworthiness before it's allowed to have
anything more than incoming SMTP port access.
I'd be seriously worried about any firewall that allowed users to
poke holes in it. Any holes should be reviewed by a competent
security person before opening them up.
Gary Flynn wrote:
>
> I'm in an environment where academic and other concerns have
> resulted (thus far) in a policy that encourages full Internet
> access.
>
> With a large population of student computers and the growing
> out-of-the-box enabling of services on all desktop operating
> systems, full Internet access means a substantial amount of risk
> to "unadministered" or mistakenly configured boxes.
>
> So I'm between a rock and a hard place :)
>
> My solution to this is a "user configured firewall". Now I know the
> purists out there will scoff but hear me out. Its better than nothing.
>
> Lets say our default policy is to operate a network with permissive
> access controls to the Internet. Those rules cannot be softened or
> changed by anyone other than an administrator (assuming its implemented
> correctly :)
>
> Then say we lock everything down except for the traditional incoming web
> and email and outgoing tcp. Perhaps 50 internal machines want to be web
> servers and open the firewall up for that service. Maybe a couple hundred
> student machines open up holes for God knows what. But that means thousands
> of machines whose owners don't want to run servers but may be doing so my
> mistake have been protected from direct access from the Internet. Adding an
> automated vulnerability scan to any "hole opening" request would further
> improve the situation. All with very little administrative overhead and
> fairly light impact on end user accessibility.
>
> The bug in the ointment is this: Can any router or firewall support
> 20,000 or so ACLs or rule sets?
>
> I may be able to use various address consolidation mechanisms to reduce
> the rulesets at the cost of security and I may have to be satisfied with
> fairly coarse access controls but I'd still end up with lots of rules with
> a user population approaching 15,000.
>
> How about it? Anyone tried doing this or have an figures?
>
> User Controlled Firewalls:
> http://www.jmu.edu/info-security/engineering/proj/fw/personal.htm
>
> Vulnerability Assessment System
> http://www.jmu.edu/info-security/engineering/proj/idr/cvas.htm
>
> thanks,
>
> Gary Flynn
> Security Engineer
> James Madison University
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
