< Back to LISTSERV archives

NETMAN@LISTSERV.EDUCAUSE.EDU


View:

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

Proportional Font

LISTSERV Archives

LISTSERV Archives

NETMAN Home

NETMAN Home

NETMAN  2013

NETMAN 2013

Subject:

Re: Firewall transitional advice (exception management)

From:

"Goggins, Patrick" <[log in to unmask]>

Reply-To:

The EDUCAUSE Network Management Constituent Group Listserv <[log in to unmask]>

Date:

Tue, 24 Sep 2013 19:13:48 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (32 lines)

There are many ways this can be accomplished, some depend on which firewall you have. Some can start open and then slowly classify what needs to be there and eventually drop the rest. Mirror and monitor can often be done with a phased in on a per-vlan basis.

In general for our deployment the firewall serves primarily as border patrol, no outside initiated sessions are allowed to connect unless a manual hole is allowed to a given address and application identification or tcp/udp port. 

Packetfence and the like can perform some firewalling functionality, this is more of a way to protect the campus network(s) from random devices which connect to the network and allows for user tracking.

~Patrick

-----Original Message-----
From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:[log in to unmask]] On Behalf Of Michael L. Sheinberg
Sent: Tuesday, September 24, 2013 9:43 AM
To: [log in to unmask]
Subject: [NETMAN] Firewall transitional advice (exception management)

Thanks all for the advice so far on the config management question I posted yesterday.

I have another non-related question in regards to the introduction of firewalls from a management perspective. We are on the path towards introducing a firewall in our environment which includes a lot of people doing internet research and hosting their own servers. I'd like to get feedback from others that went through a similar transition and how they deal with the problem of exception management. In other words, what processes automated and/or manual do you all utilize to punch firewall holes for users? I'm concerned that will be a challenge to maintain in our mixed user environment without some serious upfront design considerations. 

My initial thoughts were that we need to get technical and introduce a dynamic VLAN system on our switches to automatically place people in the correct VLANs based on predetermined function. That way we only have to create firewall rules based off network segments. We would still need a system in place to classify machines up-front but after that it seems like less up-keep. Packetfence was a big inspiration for this design (an open-source NAC). 

I'm not certain of all the alternatives but I imagined some kind of hybrid VPN setup with us creating manual exceptions for certain server ports. I'd like to hear of what others in the community do to tackle this issue.

Thanks!
--
--Mike Sheinberg
--

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Top of Message | Previous Page | Permalink


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Join or Leave NETMAN

Join or Leave NETMAN


Archives

2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998

ATOM RSS1 RSS2