Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Departmental Firewall Guidelines and Procedures..................................................................................... 1
Introduction ................................................................................................................................................. 3
Benefits and Risks of Having a Departmental Firewall.............................................................................. 3
Choosing A Firewall ................................................................................................................................... 4
Performance and Topology Considerations ................................................................................................ 4
Determine the Location for the Firewall ..................................................................................................... 7
Cost Components ........................................................................................................................................ 7
Memorandum of Understanding for Departmental Firewalls ..................................................................... 7
Coordinate the Installation .......................................................................................................................... 8
Consultation with Desktop Enterprise Solutions (DES) (Optional) ........................................................... 8
Additional Resources .................................................................................................................................. 9
Attachment 1: Memorandum of Understanding (MOU) Regarding the Use of Departmental
Network Firewalls ..................................................................................................................................... 10
Memorandum of Understanding Regarding the Use of Departmental Network Firewalls ...................... 12
Attachment 2: Departmental Firewall Rule Sets ...................................................................................... 14
Suggested Base Rules ............................................................................................................................... 14
Suggested Optional Rules ......................................................................................................................... 14
Egress Filtering ......................................................................................................................................... 16
Ports Related to Microsoft Active Directory, Microsoft Exchange, and Microsoft SQL......................... 18
Online Resources for Program Port Usage ............................................................................................... 20
A. Simple Firewall
A simple firewall is the most straightforward firewall arrangement. It requires a firewall
appliance with two or more ports (See Figure 1).
The firewall appliance is placed in departmentally controlled space, and requires two or
more NAMs: one representing the public side of the firewall, and the rest representing the
private VLAN side.
The number of NAMs varies according to the number of separate VLANs your
department or departments are using. Each VLAN will need an individual NAM and
physical Ethernet port on the firewall.
Figure 1
UC Davis / Public
Server 1
1U
Server 2
Workstation 1
Workstation 2
Network Switch
UC Davis / Public
Workstation 1
Workstation 2
Workstation 1
Server 2
1U
Network Switch
1U
Network Switch
Server 1
Server 2
Server 1
Server 2
Figure 3
UC Davis / Public
Workstation 1
Workstation 2
Workstation 1
Server 2
1U
Network Switch
1U
Network Switch
Server 1
Network Switch
Server 2
Server 1
Server 2
C OST C OMPONENTS
The basic cost elements involved in setting up a firewall are:
The firewall itself: Firewall appliances vary widely in cost. At the low end, an Open Source
product on a PC platform may cost as little as $1,000. Commercial firewall appliances offer
midrange ($2,500 to $5,000) solutions for average traffic levels. At the high end, a
commercial firewall appliance is likely to cost much more. Be sure to include recurring
hardware and software maintenance costs in planning for the firewall life cycle. The campus
has a blanket agreement for purchasing Netscreen firewall appliances.
Horizontal wiring and NAM activation: At least two NAMs, both either 100 Mbps or 1 Gbps,
will be needed for a simple firewall topology. If the selected physical location already has
enough unused NAMs for the installation, the only costs for the physical connectivity will be
activation and monthly fees. The standard rates apply to the installation of NAMs and ports
for firewall use. Horizontal wiring installation costs about $460 per NAM, where needed,
plus access and activation fees that are based on the connection speed (see
http://cr.ucdavis.edu/rates/rates.cfm for current rates).
A DDITIONAL R ESOURCES
Firewalls and Internet Security: Repelling the Wily Hacker, William R. Cheswick
and Steven M. Bellovin, Second Edition, February 2003
Internet Firewalls: Frequently Asked Questions, Matt Curtin and Marcus J. Ranum,
December 2000, http://www.ranum.com/pubs/fwfaq/
Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private
Networks (VPNs), Routers, and Intrusion Detection Systems, Stephen Northcutt,
Lenny Zeltser, Scott Winters, Karen Fredrick, Ronald W. Ritchey, Que, 1st edition
(June 28, 2002).
Building Internet Firewalls, 2nd Edition, Elizabeth D. Zwicky, Simon Cooper, and D.
Brent Chapman, O'Reilly & Associates, Inc.June 2000
Firewall Mailing List, http://www.isc.org/services/public/lists/firewalls.html
Online Firewall Buyers Guide, ICSA Labs, TruSecure Corporation,
http://www.icsalabs.com/html/communities/firewalls/buyers_guide/index.shtml
Juniper Network Solutions, http://www.juniper.net
UC Davis Security Group, http://security.ucdavis.edu
OpenBSD firewall resources http://insecure.ucdavis.edu/OpenBSD (developed &
maintained by Adam Getchell)
10
11
R E G A RD IN G
M EM O RAN DUM O F U N D ER S TA ND IN G
TH E U S E O F D EP AR TM E N TA L N ET WO RK F IR E W AL L S
12
Vulnerability Identification
Periodically, the campus may conduct scans of the campus network to identify insecure computers that
could negatively affect the availability of network services or integrity of other computers. Department
firewalls may prevent campus scanning tools from inspecting computers protected by the firewall. In
such cases, campus units must specifically permit the campus scanning utilities to pass through the
department firewall or assume the responsibility for identifying vulnerable or compromised computers.
Unrestricted hostile network traffic emanating from a firewall protected network could lead the NOC to
take protective actions, up to and including disconnection of the department firewall from the UC Davis
network. In such an extreme case, all department devices protected by the firewall will lose network
connectivity until the problem is resolved.
Communication
Departmental end users are expected, if DES services have been engaged, to communicate with DES via
the departmental LAN administrator. Individual end users that report trouble directly will be referred to
the Departmental LAN Administrator. Departments are expected to make this policy known to their end
users.
The department is expected to have a primary and backup contact within the department for trouble
referrals and for other communications regarding firewall implementation. It is preferred that those
contacts be available after hours; otherwise situations may require the departmental network be shut off
from outside connectivity for the sake of preserving campus network integrity. NOC staff will make
their best effort to contact both the designated people before proceeding with an emergency port
shutdown. CR is not responsible for enabling the firewall service should the department support contacts
be inaccessible. Please designate your primary and backup contacts below.
_________________________________
Primary Contact Name
__________
Phone
__________________________
Email
_________________________________
Backup Contact Name
__________
Phone
__________________________
Email
Approved by:
__________________________________
________________________________
Date
__________________________________
Requesting Campus Organization
__________________________________
_______________________________
__________________________________
Date
________________________________
Vice Provost
Information and Educational Technology
Date
13
15
E GRESS F ILTERING
One area of Cyber Security compliance that is difficult to define and implement is egress
filtering. We are working with the campus community to define and refine this issue further, but
for now here are a few guidelines, that can be easily integrated into your existing firewall.
Only allow source addresses from the IP network numbers you assign to trusted segments
behind your firewall(s), including DMZ networks. This includes primary and secondary
network numbers, and subnets that are routed to the Internet through your firewall
(including addresses reserved for VPN clients).
Apply appropriate subnet masks to trusted networks, i.e., masks that are sufficiently long
to identify only that fragment of the IP network number that you are using. For example, if
you are using an RFC 1918 Private Address from the Class B number 172.16.0.0, and only
assigning numbers from 172.16.1.x, use 255.255.255.0 (or /24), not 255.255.0.0 (or /16) as
your subnet mask.
16
17
Application
TCP 515
BANNER spooler/printing
169.237.104.59; 169.237.104.65
PPS Printing
UDP 7001
AFS Client
TCP 139
AFS Proxy
afs1.ucdavis.edu; afs2.ucdavis.edu;
afs3.ucdavis.edu; afs4.ucdavis.edu
sydney.ucdavis.edu; sarajevo.ucdavis.edu
TCP 1521
Database Servers
fis-tp.ucdavis.edu; fis-test.ucdavis.edu
TCP 1522
oranames1.ucdavis.edu; oranames2.ucdavis.edu
unfclic1.ucdavis.edu; unfclic2.ucdavis.edu;
unfclic3.ucdavis.edu
P O R TS R E LA T E D
TO
M IC RO S O F T A C T IV E D I R EC TO RY , M I C RO S O F T E X CH A N G E ,
AN D M I CRO SO F T SQL
Ports
135 tcp/udp
137 tcp/udp
138 udp
139 tcp
445 tcp/udp
389 tcp
389 udp
LDAP ping
636 tcp
3268 tcp
3269 tcp
88 tcp/udp
Kerberos
53 tcp/udp
1512 tcp/udp
42 tcp/udp
WINS Replication
Ports
1433 tcp/udp
1434 tcp/udp
18
25 tcp
691 tcp
2883 udp
Applications
21/TCP,UDP
22/TCP,UDP
23/TCP,UDP
25/TCP,UDP
37/TCP,UDP
TIME protocol
53/TCP,UDP
80/TCP
88/TCP
110/TCP
119/TCP
123/UDP
137/TCP,UDP
138/TCP,UDP
139/TCP,UDP
143/TCP,UDP
161/TCP,UDP
194/TCP
201/TCP,UDP
389/TCP,UDP
401/TCP,UDP
443/TCP,UDP
445/TCP
19
464/TCP,UDP
500/TCP,UDP
515/TCP
691/TCP
MS Exchange Routing
989/TCP,UDP
990/TCP,UDP
992/TCP,UDP
993/TCP
995/TCP
1194/udp
OpenVPN
1214/tcp
Kazaa
1352/tcp
1433/tcp
1434/tcp,udp
1494/tcp
1723/tcp
1723/udp
1863/tcp
MSN Messenger
2967/udp
3306/tcp
3389/tcp
5003/tcp
5190/tcp
20