[unisog] Appropriate University/Internet blocks

Smith, Ian Ian.Smith at sjcsf.edu
Thu Jun 17 19:38:07 GMT 2004


We have put in place a "defense-in-depth" architecture:  

The first layer is the access routers which have simple ACLs - things
like don't accept traffic on the external interface that comes from the
internal interface address-space.  The Access Router level is where we
would block traffic to or from the entire Internet (which we have done
once, to deal with an out-of-control worm outbreak).  In general, they
are unlimited in the type of packets they allow.

The next layer is the firewalls.  We use a number of stateful firewalls
to provision Internet service to various constituencies on campus and to
terminate some site-to-site VPNs.  This lets us have a fine degree of
control on the kinds of traffic that is allowed into the WAN and out to
the Internet.  Furthermore, they allow for traffic prioritization as a
percentage of available bandwidth.  All our Internet accessible services
are hosted at this level on a DMZ network, with any communication to the
backend server farms wrapped in PKI/IPSec tunnels using web services.
This is also where we do the bulk of our policy enforcement for the
administration and faculty.  In general, they are default-allow for
outbound traffic and default-deny for inbound traffic, with a
people-process in place to ask for special rules and/or access.  We
disallow encrypted-tunnels from the WAN to Internet addresses by policy
and block outbound ports for those protocols at the firewall.  (We get
away with this because we are a very small liberal-arts college with no
CompSci program, I don't think it would work anywhere else.)

The next layer are choke routers, internal to the WAN that basically do
traffic control for internal traffic, and have ACLs and route-maps to
segregate the population - no access to the administrative operations
network from the resnet, for example.  These routing tables are how we
manage the traffic paths through our WAN and between the various LANs on
our campuses.  Our user-to-site VPN's are terminated inside this level,
and assigned a special block of addresses, which are treated differently
than on-campus workspace PCs (less off hours access, tighter mobility
restriction from one part of the network to another, more logging).

Finally, we treat the resnet and wifi networks as un-trusted enclaves.
We have registration-based access-control to the default gateway, which
is a stateful-packet-inspection / P2P-blocking firewall (linux, iptables
and ftwall).  The traffic is shunted directly from this firewall through
the trusted portion of the WAN and delivered to the Internet-facing
firewall using route-maps on internal choke routers.  Any services that
students need to access from the resnet or wifi networks are either on
the web, in the DMZ, or hosted on hardened front-end machines tied into
the system via exclusive ACLs and PKI/IPSec tunnels.  


Ian M. Smith
Director of Network Operations
St. John's College
505.984.6129
ian.smith at sjcsf.edu 
www.stjohnscollege.edu



-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Tom Conley
Sent: Wednesday, June 16, 2004 8:21 AM
To: SECURITY at LISTSERV.EDUCAUSE.EDU; UNIversity Security Operations Group
Cc: watkins at ohio.edu; thomasj4 at ohio.edu; reid at ohio.edu
Subject: [unisog] Appropriate University/Internet blocks

This is a hackneyed old question, but one we are still struggling with:

What is the appropriate level of filtering or port blocking at A 
University/Internet border?

Specifically, what ports or packets are y'all (other universities) 
currently blocking?  Do you have router configurations that you can
share? 
Do you use an IP blacklist?  Are the "blacklist" and "ports list"
permanent 
or do the blocks "time out" automatically?  How do you manage all this?

It seems [obvious] that the recommendations made for other industries
are 
not generally accepted at universities.  But what is acceptable?

Any feedback is appreciated.  Feel free to contact me off-list if you 
prefer.

Thanks.

Tom

Tom Conley, CISSP
Network Security
Ohio University
740.593.2264
conleyt at ohio.edu
security at ohio.edu
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list