I have been tasked with creating a security policy for our institution which
can be implemented in a phased and sane manner. As we are an educational
research institution, our needs are likely to be different from industry.
We are a small institution, and though we do have startup funds, our policy
will need to be maintainable by a small number of people. (some of which have
Also, given the oddness of our network conditions, our solution is likely to
differ from classical textbook cases: We have two Internet Services
Providers, one of which maintains an ATM WAN, and a number of internal
networks, one of which is completely separate and homed to the second ISP.
In addition to this routing pretzel, we have researchers who create new
protocols every month.
I am making a few assumptions after my initial reading on the subject:
* We want a firewall technology to enforce network level policy between
our ISPs and the campus LANs.
* We wish to employ the classic filter model. "deny everything except
that which is explicitly permitted" Additional technology at the
firewall level will likely be required.
* We will want other policies to supplement our firewall which will
include the goal of implementing encryption, and some detailed
host level security among other things.
These are the questions I am currently grappling with:
* I am curious if anyone has experience implementing a security policy,
including firewall, in an educational setting. Screening router
configurations, phased implementation plans, filter order
discussions, firewall topology -- one router vs. two, commercial
product advantages and other pertinent information would be
* Traffic bound to the Internet from our campus largely doesn't
seem to be a security risk -- I am curious what outgoing traffic,
if any, common wisdom would say to restrict. For example
it might be a good idea to say that only IP addresses from
within my domain can pass my router bound for the outside world...
* Incoming traffic from the internet (two ISPs) seems to be
the lion's share of the work. Given that we are a small
research institution distributed across seven divisions, it is
unlikely that we will simply lock everything down at once.
I am looking for discussion of priorities as to which things to do
* In terms of ongoing support costs, each service should be handled
in as simple and elegant way as possible. I am curious about
implementation options for managing the following in a reasonably
multicast IP -- MBONE
ATM -- ISP WAN connecting directly into my campus LAN!
random research protocol of the week (UDP MPEG to Germany...)
I do have access to vendor web pages, a number of books and articles on the
subject, and if anything, the reading has convinced me that it is easy to
spend many thousands of dollars on snake oil. Given my bizarre requirements,
I recognize it may not be possible to plug all the holes in the initial
release, but I do need to play percentage baseball and make the work count.
In classical terms, I first need to figure out what reasonable objectives
are, then find pragmatic means to meet them. If you have ideas about any
of the esoteric topics above or information regarding security objectives
and implementation for small educational institutions, I would love to
hear from you, private citizens, institutional (institutionalized;-)
employees, and vendors alike.
Thanks in advance
. Don Weston Jr. . . . . . . . . . . . . . . . . . . . . .
. Network Engineer Adam Smith's "Wealth of Nations" presupposes .
. Oregon Graduate Institute infinite natural resources -- imagine .
. don @
edu replacing ozone and soil when they're gone .
. . . . . . . . . . . . . . . . . . . . . . . . . . .