Effective firewall with a Swiss cheese ruleset

Many administrators spend their time securing Windows at just the network level or just the applications level -- and never cross the line from one group to the other. Where does your domain lie and how do you keep Windows data secure even if the perimeter is compromised? We asked those questions of our ITKnowledge Exchange members. Here is one of the responses, or return to the main page for the complete list of letters to the editor.

Effective firewall with a Swiss cheese ruleset

Ross Tuininga
Interim Network Engineer/Manager
Bates Technical College
Tacoma, Wash.

My experience is that network security policies vary widely depending on the organization.

In the Intel lab where I used to work we tightly controlled what could go where. When Internet Security Systems came in to evaluate our setup they were surprised that we knew precisely what we were allowing. They said it was common for them to set up an environment like ours and have security gradually deteriorate until the net was mostly open within a few years.

The situation is entirely different where I work at now. There was no firewall in place when I came to Bates Technical College. However, state auditors require firewalls for all state colleges and I was told that we were ahead of most in terms of implementation. Given some of the documents I have seen, it is clear that my manager wanted a firewall in place a year earlier than it was implemented -- but like many small IT organizations, we have a very small staff doing the best they can with the knowledge they have. As the only IT engineer, I am responsible for the network, servers and security. We have around 2,000 workstations and 30 servers. The IT team is made up of eight people, including the manager.

I decided to use a DMZ with inner and outer firewalls. The current implementation has the outer firewall running OpenBSD on two obsolete workstations with failover enabled. The inner firewall is a PIX. I recommended failover for it as well, which will be put on hold until funding is available. After working with both architectures, my team of students and I believe the BSD is more secure and flexible than the PIX, but management feels more comfortable with a PIX. Given the hackarounds I had to implement with the PIX, even our Cisco instructor reluctantly admitted that it is a poor fit for our environment.

I have been told this arrangement is more sophisticated than what any other college in the state uses. We are still in the process of populating the DMZ with DNS, e-mail relay and Web services.

Before the firewall was in place, security was a nightmare. When I did a 15-minute capture of outside traffic, over half of the TCP sessions were attacks on SQL Server. We couldn't keep OptiView Web Acceleration up without it getting compromised. The techs seemed to be tracking down compromised workstations on a regular basis.

As for my firewall rule set -- I have characterized it as Swiss cheese. However, I try to tightly limit what each rule allows. For example, one client uses Net Meeting to connect to a server in the state government. I opened all of the required ports between just those two specific addresses. Until we had an FTP proxy, I refused to open the required ports except to specific external addresses. When we got the proxy running, the rules were all removed.

On the inside, I plan to partition the network so each group can reach the central servers and the internet but not each other. Given our budget, we will have all of the servers on a single subnet, and as best we can, limit directory and file access to just what people need. This is done using Active Directory permissions. This clearly isn't optimal but this is the best we can do under current budget constraints.