Implementing Default-Deny While Enabling End-to-End Performance
Time 04/28/10 03:00PM-04:00PM
Increasingly campuses are required by auditors, policy, or necessity to have a border firewall with default-deny enabled. This situation often results in one of two conditions - 1) the two-port Internet where all traffic is forced to traverse across port 80 and 443, or 2) a border firewall with so many ports opened that it provides little true security benefit. In either case, this often results in a situation where researchers have difficulty testing applications across campuses, where faculty cannot easily access lab resources from home, and where students in the resident facilities cannot operate web-based games that rely on dynamic port configuration.
In 2007 our campus developed and put into operation a user-configurable firewall management tool as we migrating to a default-deny policy on our border firewall. This tool leverages our identity management system and allows those with the role of faculty and staff to exempt devices fully or partially from our firewall restrictions. In fall 2009 this ability was extended to students in our residential facilities. The tool provides an easy to use interface and all the changes to the system occur in real time allowing our users a great deal of flexibility with very little added risk.
The presentation will provide an overview of the tool, how we have leveraged the identity management system and campus WebISO, and the results and feedback we got from users. Finally, we will discuss future plans that will allow faculty to grant off-campus colleagues to create host to host exemptions using the Incommon authentication both for validation and activation of the exemptions.
Speaker Jack Suess University of Maryland, Baltimore County
Speaker Damian Doyle University of Maryland, Baltimore County
Secondary tracks System and Network Security for Advanced Networks