When discussing with people the use of firewalls to filter or block traffic, I have often discovered it is difficult to explain exactly what options they have and how they work. In an effort to help clarify that…
Generally, you have to consider two things, scope and traffic flow.
Scope can mean several things, but in essence, scope is a way to label things and what level of access you plan on letting them have. For instance, for Stony Brook, there several scopes. Ordered from lowest risk to highest. Sometimes scopes are also known as IP-ACLs (IP Access Control Lists).
- Private Subnets
These are networks for which by definition they have limited access to other scopes (or none). You can add other scopes for them to have access to later, but this is a deliberate act and not the default.
- Selected Hosts
A small list of computers, regardless of where they are.
All the computers who are within your broadcast domain (ie. Local area network)
Computers on campus (or in an enterprise), but can be broken down to smaller scopes
a) Main Campus
c) Life Sciences
d) Computer Science
Pretty much… everything else. But these can be scoped sometimes too. For example, by University, by corporation, by vendor in some cases geographically or by country.
In most cases, it can be hard to try and carve out sub-scopes from the Internet scope, as very often some of these scopes will change without notice. The same exists for other campus scopes, but they should change very rarely. Also, unless you are using a private subnet already, realize that most campus IP’s by definition are Internet Scoped and are therefore exposed directly to the unfiltered internet. This can be very problematic for your internal security. It is however, very common for at least, desktops and laptops to be scoped to either their local subnet or to their enterprise. Lastly, scope often determines your risk level.
Traffic flow is really a determination of what traffic will pass across the firewall, often this is associated with a direction (Inbound or Outbound) and even then, for the purposes of this discussion, only relating to who starts the network conversation. For example, if you have a web server, clearly, you need both Inbound (a remote web browser will start the conversation) and Outbound traffic (The web server has to talk back to the web browser). However, a typical Desktop or Laptop computer, has no need of an outside computer starting a conversation with it, thus, its firewall should be set to disallow any unsolicited InBound traffic with respect to your needs and the scoping your needs requires.
We often categorize this as Server vs. Non-Server traffic.
There is some confusion here regarding this concept. For example, you may use Skype and you want people to start chatting with you. While in the strictest definition this makes Skype a kind of server (a Client-Server actually), Skype and software like it are not really servers. They have communication mechanisms that aren’t affected by “InBound” firewall rules unless we specifically go out of our way to block them.
Conclusion & Considerations:
Both scope and traffic flow can be used together in almost any combination. Sometimes conflicts or oversights can arise while deploying rules, so it always make sense to verify your firewall rules are working as expected once put in place and it is never a good idea to add rules remotely unless they are pre-tested for functionality (ie. More then one IT technician has locked themselves out of a device by applying a rule that was just wrong enough to cut them off from the system). Applying rules is best done while you are physically near the system being modified.
But, this does give us the tools with which we can customize the rules to a given set of computer’s needs while also giving them substantial protection.
So when we suggest that you consider placing your equipment behind a firewall or recommend changes to your firewall rule set, remember that we have a great deal of options and can work with you to not only increase your security but also work within your needs.
We do recommend a campus based scope. This gives your systems access to all campus resources while blocking out the baddies from outside of campus. This isn’t perfect as, there can be malware infected computers on campus that can be used to reach you despite your intentionally blocking out InBound unsolicited traffic from the Internet. Very often these computer’s are in ResNet and Wireless, but certainly are not limited to them.
Lastly, there is a school of thought that prefers you utilize active/dynamic defenses, IPS or IDS, versus using scoping rules (aka IP-ACLs) which are inherently static. We agree this is the best approach, however, if you do not have IPS or IDS, scoping rules are really your only defense. Even with IPS/IDS, scoping and limiting traffic flow adds another defensive layer should any other layer fail. Which in reality does happen because attack methodologies are dynamic and shifting. This enables them from time to time to evade some defenses for a short time; but, luckily, it is extremely rare that an attack can evade all defenses all the time. Which is why we recommend using the layered approach.