Great Circle Associates Firewalls
(May 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Firewalling a university. (Advice on Firewall politics)
From: yerkes_chuck @ jpmorgan . com
Date: Tue, 24 May 94 10:54:37 EDT
To: firewalls @ greatcircle . com 
At my college, we indeed wanted free access to/from the internet.
However, the admin net did not want that free access from the
Internet.

The way to do this would be to have a firewall between the admin net
and the general college network.  This would screen packets and
authenticate incoming connections.

The general network would have a machine doing similiar, but with no
authentication - it would simply leave an audit trail of connections.

  You are responsible to the Net for the actions of your users, if only
morally, in my view.  If you have a user who has shown that they can't
be trusted, you have to be able to limit their access (yes, they can
use a different account, but...).  You also may need to shut of access
to certain outsiders.
  To this end, you need 
(1) A use policy. Rice had their OwlNet use policy available at the
    last LISA conference and it's a reasonable starting point.  This
    will essentially lay out your rules and students who break them
    will be denied service.  You need your administration to back you
    on that.  This policy is the LEAST you should have.
(2) A machine to act as a gateway.  If nothing else, it's a router to
    the internet, but a full Unix box (or similiar), that is secure,
    will keep track of connections and leave an audit trail.  Besides
    securing, this can be used to justify better resources for your
    department.  A using a screend type of package, you can simply pass
    all packets through.  This means that you are not limiting service,
    simply keeping an eye on them.  Could be Big Brother-like.  Your
    policy (1) must explicitly say that you will never do packet by
    packet monitoring or under what circumstances you *might* do it.
    Protect yourself and your users.

  In summary, firewall your admin net (this means a separate network for 
them) and put a gateway on your WHOLE network.  Create a policy that
outlines the rules by which you expect your users to play and by which
you will play.

  Why would that administration buy in?  Because you are providing
the same server, but you also are protecting the school from legal
actions (even if just a hassle, lawyers cost) and laying down guidelines
for use and punishment for abuse.


Chuck
----
Chuck Yerkes
consultant, JPMorgan.COM
"My opinions are often not ever listened to by my employers and clients
 and therefore are often not held by them."



----- End Included Message -----
Indexed By Date Previous: Re: Network Sniffer
From: Mark Fullmer <maf @ cob . ohio-state . edu>
Next: Allowing Magic Kingdom Access.
From: pauld @ pyramid . com (Paul Daw)
Indexed By Thread Previous: [no subject]
From: hernae @ Texaco . COM (Emma Hernandez)
Next: Allowing Magic Kingdom Access.
From: pauld @ pyramid . com (Paul Daw)
Google
 
Search Internet Search www.greatcircle.com