A Firewall for Oxford

Neil J Long

University of Oxford Computing Services

neil.long@oucs.ox.ac.uk

Introduction

Once upon a time a Firewall equaled Security

Today a firewall is just one component in a toolkit of security techniques and procedures

The Long Term Objective

• Decrease impact of external network attacks
• Minimise impact on normal user services and access
• Establish a Network Security Policy other than "wide open"

Why have a firewall?

• Enforce the Network Policy
• Impose some restrictions
• React to attacks
• Logging

The present situation

• Attacks from outside -> inside
• Attacks from inside -> outside
• Inside <-> inside
• Consequences for .ox.ac.uk

Why don't we have one already?

• Complexity of network topology
• Perceived impact on bandwidth
• No defined security policy
• Few 'disasters'

Disadvantages

• Obvious bottleneck - single point of failure
• Initially needs to be mainly open until key servers or services can be identified
• Availability - staff vs equipment duplication

Affected Protocols

• No impact on internal traffic
• Firewall JANET link therefore only TCP/IP
• TCP, UDP, ICMP, Multicast, etc
• Cambridge have limited POP, IMAP and SMTP to specific hosts

More restrictive rules?

• Must have simple and few rules
• Local nets need to consider their own firewalls for greater restrictions
• Will not reduce the need to keep up with patches and awareness

Conclusions

• Oxford needs a firewall - needs a POLICY!
• Initially 'mostly open'
• Eventually 'mostly closed'
• Bandwidth, latency and backbone topology define selection criteria
• No panacea for system administration