Bryan Andersen wrote:
>
> The closest I know to what you are looking for is the Drawbridge
> firewall that is developed and used by Texas A&M University.
> They have to deal with a similar situation. They however have
> a stronger policy for opening up services than what it sounds
> like you are after.
>
> See: http://drawbridge.tamu.edu/
Shucks, I haven't looked at the TAMU stuff in a couple
years and need to do so again! It looks like they're
supporting more OS's in their tiger scripts too!
> I'd also seriously look at their policies as they make allot of
> sense. The one I like the most is that a machine must meet a
> specific level of trustworthiness before it's allowed to have
> anything more than incoming SMTP port access.
The intent would be to tie the ability to open a hole with
acceptable results from a vulnerability scan of the machine in
question.
> I'd be seriously worried about any firewall that allowed users to
> poke holes in it. Any holes should be reviewed by a competent
> security person before opening them up.
Yea, I don't much like it either. But then we give the same
people the ability to run programs on a platform that doesn't
control what those programs do :)
The baseline access controls would be reviewed and would not
be modifiable by the user.
thanks for the response,
gary
>
> Gary Flynn wrote:
> >
> > I'm in an environment where academic and other concerns have
> > resulted (thus far) in a policy that encourages full Internet
> > access.
> >
> > With a large population of student computers and the growing
> > out-of-the-box enabling of services on all desktop operating
> > systems, full Internet access means a substantial amount of risk
> > to "unadministered" or mistakenly configured boxes.
> >
> > So I'm between a rock and a hard place :)
> >
> > My solution to this is a "user configured firewall". Now I know the
> > purists out there will scoff but hear me out. Its better than nothing.
> >
> > Lets say our default policy is to operate a network with permissive
> > access controls to the Internet. Those rules cannot be softened or
> > changed by anyone other than an administrator (assuming its implemented
> > correctly :)
> >
> > Then say we lock everything down except for the traditional incoming web
> > and email and outgoing tcp. Perhaps 50 internal machines want to be web
> > servers and open the firewall up for that service. Maybe a couple hundred
> > student machines open up holes for God knows what. But that means thousands
> > of machines whose owners don't want to run servers but may be doing so my
> > mistake have been protected from direct access from the Internet. Adding an
> > automated vulnerability scan to any "hole opening" request would further
> > improve the situation. All with very little administrative overhead and
> > fairly light impact on end user accessibility.
> >
> > The bug in the ointment is this: Can any router or firewall support
> > 20,000 or so ACLs or rule sets?
> >
> > I may be able to use various address consolidation mechanisms to reduce
> > the rulesets at the cost of security and I may have to be satisfied with
> > fairly coarse access controls but I'd still end up with lots of rules with
> > a user population approaching 15,000.
> >
> > How about it? Anyone tried doing this or have an figures?
> >
> > User Controlled Firewalls:
> > http://www.jmu.edu/info-security/engineering/proj/fw/personal.htm
> >
> > Vulnerability Assessment System
> > http://www.jmu.edu/info-security/engineering/proj/idr/cvas.htm
> >
> > thanks,
> >
> > Gary Flynn
> > Security Engineer
> > James Madison University
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> --
> | Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
> | Buzzwords are like annoying little flies that deserve to be swatted. |
> | -Bryan Andersen |
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
