Spring 2010 Internet2 Member Meeting

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Implementing Default-Deny While Enabling End-to-End Performance

Time 04/28/10 03:00PM-04:00PM

Session Abstract

Increasingly campuses are required by auditors, policy, or necessity to have a border firewall with default-deny enabled. This situation often results in one of two conditions - 1) the two-port Internet where all traffic is forced to traverse across port 80 and 443, or 2) a border firewall with so many ports opened that it provides little true security benefit. In either case, this often results in a situation where researchers have difficulty testing applications across campuses, where faculty cannot easily access lab resources from home, and where students in the resident facilities cannot operate web-based games that rely on dynamic port configuration.

In 2007 our campus developed and put into operation a user-configurable firewall management tool as we migrating to a default-deny policy on our border firewall. This tool leverages our identity management system and allows those with the role of faculty and staff to exempt devices fully or partially from our firewall restrictions. In fall 2009 this ability was extended to students in our residential facilities. The tool provides an easy to use interface and all the changes to the system occur in real time allowing our users a great deal of flexibility with very little added risk.

The presentation will provide an overview of the tool, how we have leveraged the identity management system and campus WebISO, and the results and feedback we got from users. Finally, we will discuss future plans that will allow faculty to grant off-campus colleagues to create host to host exemptions using the Incommon authentication both for validation and activation of the exemptions.

Speakers

Speaker Jack Suess University of Maryland, Baltimore County

Speaker Damian Doyle University of Maryland, Baltimore County

Secondary tracks System and Network Security for Advanced Networks

gold Sponsors