Campus firewalls -- was Policy for student owned servers in the ResNet

Russell Fulton r.fulton at
Sat Mar 27 10:19:02 GMT 2004

Sorry folks this has got a bit long winded and has gone some way from
the original topic so I have changed the subject line.

On Fri, 2004-03-26 at 13:08, Gary Flynn wrote:

> We make exceptions for academic or business needs. To date, we have
> had less than a dozen requests for exceptions so haven't needed a
> complicated process. When we get a request, I request the output of
> MBSA on Windows computers and perform a network vulnerability
> scan on the computer. I then limit the incoming access to only those
> services requested. This manual process obviously wouldn't scale with
> more requests but its adequate for now.
> I'm looking at ways it might be possible to efficiently  extend such a 
> policy
> to "sensitive desktops" throughout campus and maybe even further.
> I remember reading about Texas A&M having such a system using Tiger
> scripts and Drawbridge many years ago.

We do part of this now for all machines on campus -- used to use TAMU
drawbridge but moved to OBSD over Xmas and are very happy with it.  pf
(the OBSD FW) is much more flexible than drawbridge and is also stateful
allowing much better control of incoming UDP and I have just added an
ftp 'helper' so we don't need open high ports to make both active and
passive ftp work properly. Next release (3.5 due in May) adds the
ability to share state between two load balancing firewalls -- at the
moment we have two bridges in parallel which use spanning tree (i.e.
only one active).

All of this is quite straight forward but behind it we have a home grown
network database system (perl and mysql) that allow Faculty IT support
people to do nearly all their network configuration (IP allocation, dns,
dhcp etc.) and the firewall config through a web interface.  As of right
now we are still using the old drawbridge "access classes" these are
essentially canned configurations and we now have about 50 of them :(
which is very unwieldy and confusing.  In the next week or so I will be
putting up a new version of the software that will allow detailed
configs for individual machines with port lists being stored in a mysql
The interface is quite simple and for about 90% of servers all that is
need is to click check boxes in an array of common services on one axis
and 'in', 'out', 'standard' and 'SSL' (where approriate).

When I last looked there were about 300 systems on campus with services
exposed to the Internet.  Some of these are fairly wide open because
they don't fit any of our canned access classes.  That should change
quickly once the new system is in place.

The long term aim is to link that table to nessus via a perl interface
to drive periodic tailored scans of all exposed servers.This isn't too
higher priority since our experience is that *all* servers (read all
windows systems for a start) on campus have to be patched regardless of
whether they are exposed to the 'Net or not.  Over the last couple of
weeks we have had repeated minor outbreaks of Welchia B.  It took nearly
two months to get on to campus but eventually someone must have brought
in an infected laptop...  One department lost 20 new XP machines, they
must have missed one patch when they set them up (they are now getting
all their machines on to SUS ;) and there have been a scattering over
the rest of the campus -- perhaps another dozen.  Having a good firewall
just slows things down a bit.  But Hey! if it means I have 3 weeks to
get patches deployed instead of 2 before some worm hits us then I'm all
for it.

What I am looking at more closely is processing DHCP logs in near real
time looking for new systems and scanning them for the latest
vulnerabilities or actual infections and dumping the data into a
database. Ultimately it would be nice to automatically shutdown the port
if the machine is infected rather than just getting the dhcp server to
cut off their lease.  (hmm... how to do that on the wireless lan?)  We
would also scan 'old' machines on a periodic basis.

Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the unisog mailing list