Building Firewalls in an Open Environment
University of Louisville
Andrew L. Davis
What is a firewall?
A firewall is software and/or hardware which functions in a networked environment to
prevent some communications forbidden by the security policy.
This firewall has the basic task of controlling traffic between different zones of
trust. Â Typical zones of trust include the Internet (a zone with no trust) and an
internal network (a zone with high
trust). Â The ultimate goal is to provide controlled connectivity between zones of
differing trust levels through the enforcement of a security policy and connectivity model
based on the least privilege principle.
Why have a firewall?
A firewall is put in place to help protect resources
The reasons to have a firewall are similar to any other security device/system and it
is important to remember that a firewall will not solve all of your problems. Â You
always want to have multiple layers of security.
How does a firewall work?
A firewall Âinspects each Âpacket of data as it traverses between two zones of trust to
see if it should be allowed through or be blocked. Â How deeply it looks at each packet
determines the type of firewall that is being used.
- Network layer firewalls look at the IP protocol headers
- Application layer firewalls look at the IP protocol data
UofL Firewall Solution
There are a lot of firewall solutions out there: Â CISCO PIX, OpenBSD, Linux, Firewall-1,
Microsoft ISA server, SonicWall.
The solution that University of Louisville selected is the CISCO Firewall Service Module
(FWSM), based on the PIX technology. Â The main reasons for choosing this solution are the
fast data rates that this solution offers and the ability to easily intergrate into the network.
- 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections
- Multiple Virtual Firewalls per FWSM
University Policy
A university environment has a need to be flexible and open to allow researchers to exchange
information. Â Because of this approach the outbound default policy is set to allow all
traffic. Â We are denying some outbound traffic for security reasons. Â Some examples
of traffic that we are explicitly blocking are:
- smtp (25)
- dns (53)
- rpc (111)
- snmp (161)
- Mircosoft network ports (135, 137, 138, 139, 445)
The default policy for inbound traffic is set to deny any unknown traffic.
We only allow key systems to send and recieve email to the rest of the world.
 The same goes for our dns traffic.
UofL Implementation
The Firewall System was implemented in three phases:
- Phase I of the firewall implementation project protects the enterprise systems in the
UniversityÂs data center. Â This phase was completed July 1, 2004.
- Phase II provides perimeter firewalls to provide protection from external networks and
undesirable Internet traffic. Â This phase was completed March 11, 2005.
- Phase III provides distributed firewall protection for schools and departments at their
request. Â This phase began June 30, 2005 and will be an ongoing process.
Firewall Phase I - Datacenter
Phase I Implementation
We generated firewall rules for the datacenter firewall, then spent a preventive maintance
window testing the rules which allowed us to identify any network services that we missed.
This was very useful because there were several services that we had missed or just did
not fully understand how the application fully used the network stack.
After the above test cycle, we went live the next week with the datacenter firewall.
Firewall Phase II - Internet
Questionnaire
For phase II we did not have access to all of the computers that might be serving
resources to the Internet. Â So we developed a
questionnaire for the University Community
to fill out. Â We were looking for the following type of information.
- Any Servers that may be maintained
- File and Print
- E-Mail
- Web Server
- Application
- Other Servers or Services
- IRC / Chat
- FTP
- Streaming Audio
- Etc. . .
Questionnaire (continued)
- Specialized application software
- Example â Departmental Accounting Database shared by users.
- Remote Access
- Need to connect to University workstations or Servers remotely
- List method, software used
- HIPAA
- Maintaining any patient information on workstations or servers? (Required for
HIPAA compliance).
Firewall Phase II Implementation
Once the questionnaire was published to the University Community, we set the go live date as
March 11th, 2005; Spring Break week.
This gave the Community about four months to get the questionnaire filled out and have any
questions answered.
We did have some issues with H.323 traffic and VPN traffic.
Datacenter Lessons
Originally our datacenter network was broken up into two separate VLANs for organizational
reasons.
After the first phase of the firewall was implemented, we noticed that this was causing
some network inefficiencies.
We have now redesigned the datacenter network to merge the two VLANs into one VLAN.
New Datacenter Firewall
Firewall Phase III
Firewall Phase III Implementation
Custom firewalls are implemented at the request of the department to firewall a group of
computers that may need additional security protection from the rest of the university community.
Correction: Secure your Macintosh Operating System
Home
About Us
Index A-to-Z
Find People
Contact Us