[unisog] Firewalls for Windows sheep

Arnold, Jamie harnold at binghamton.edu
Mon Feb 10 14:16:05 GMT 2003


Sounds very complicated and admin intensive.  I prefer simple.

Our transition to the PIX has been nearly transparent for the users using
the default policy of open what you need.  Of course, we did some homework
before we went production.  I like the idea of one box to admin.  It has
required *very* little of my time and has had a dramatic effect on our
network performance, not to mention the significantly reduced number of
copyright infringement notices we receive!

-----Original Message-----
From: Shane Williams [mailto:shanew at shanew.net] 
Sent: Sunday, February 09, 2003 3:59 PM
To: unisog at sans.org
Subject: RE: [unisog] Firewalls for Windows sheep


I assume you meant standard procedure for you.  Being in an academic
environment, our department takes the opposite approach.  We look down what
needs to get locked down and leave the rest open.

While this may place our machines at higher risk, it makes the lives of our
users much easier.  And with the time we save not having people request for
this or that port to be opened, we keep machines well-patched and watch the
system with both network and host based IDSs.

We use bridging firewalls (No need to alter clients' IP settings) "near" the
edge, but have a DMZ where the primary servers live.  The bridging firewalls
are slightly older Dell boxes running Linux with bridging and IPTables.

Of course, a great deal depends on the geography and needs of your network
and your clients.  What works for us may not be at all appropriate for your
situation.

On Fri, 7 Feb 2003, Arnold, Jamie wrote:

> Standard procedure is to open only what's needed and only to the hosts 
> needed.
> 
> There are many opinions on whether to use an edge device or several 
> departmental devices.  I prefer the edge option.
> 
> j
> 
> -----Original Message-----
> From: STeve Andre' [mailto:andres at msu.edu]
> Sent: Friday, February 07, 2003 3:59 PM
> To: 'unisog at sans.org'
> Subject: [unisog] Firewalls for Windows sheep
> 
> 
>    What do you do on your firewalls for protecting your
> Windows sheep--I mean clients?
> 
>    I'm thinking along the lines of the traditional firewall at the 
> edge of a network which blocks ports.  What is your strategy here--do 
> you block the known vulnerable ports, or take the opposite approach 
> and block most everything opening up only what you know you need?
> 
>    Specific data is great.  I use OpenBSD's pf so those
> would be even cooler to see. ;-)  Any links to places
> that spout their philosophy would be neat too.
> 
> Thanks,  STeve Andre'  (MSU dept of Political Science)
> 

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew



More information about the unisog mailing list