Firewalls

Duke University, like several other large research universities, has no border firewall. This is primarily because we believe that any firewall which sits in front of over 30,000 computers is not likely to be effective. However, there are several departments on campus which are using firewalls to protect their local computers. These firewalls tend to be more effective since they are protecting fewer computers and can be customized for their environment. An excellent paper by Terry Grey at the University of Washington regarding the tradeoffs in different firewall models was recently published in the Educause Review.

In a CLAC Firewall Solutions Forum, we discussed several different firewalling models and the pros and cons of each:

• Host-based firewalls
• Router-based port filtering
• Hardware-based firewalls

Host-based firewalls are the most effective form of firewalling. Because each firewall is only protecting a single computer, the rules can be customized to be specific to that host. The only types of traffic that will be allowed through the firewall should be legitimate for the specific computer. Moreover, because there is only one host behind each firewall, there is no danger of being hacked via a different computer behind the same firewall.

The drawback of host-based firewalls is that they must be installed on each and every computer. However, since the majority of client computers are identical, only the firewall rules for servers need to be individualized.

On campus, there are departments using a wide range of Unix host-based firewalls including:

• ipfilter (solaris, sunos, various bsds, irix, hp-ux, tru64)
• iptables/ipchains (linux)
• ipfw (bsd)

There are not currently any groups that we know of which are deploying Windows based firewalls, however, there are several options to choose from:

• Windows 2000/XP have a built-in firewall
• Kerio (provided by Duke at http://www.oit.duke.edu/site/software.html
• Tiny Firewall
• Zone Alarm
• Black Ice

One option for schools and departments that have their own router is to use port filtering at the router to minimally block known "bad" ports. Ports which are filtered at the router are able to be used within the network, but may be restricted from coming into the network

There are several candidates for ports to be filtered at the router and many different combinations of the following are used on campus:

• Windows NetBIOS (137, 138, 139, 445)
• Windows RPC (135)
• Unix RPC (111)
• FTP (21)

Hardware firewalls are what are typically thought of in discussions of firewalls. These are separate pieces of equipment that physically sit in the path of the network and allow certain types of traffic to pass and deny other types of traffic.

Several groups around campus are making use of the Cisco Pix firewalls. These firewalls are very easy to configure and use. They come in different sizes to meet the needs of different groups. Another option in use on campus is an Intel-based computer running linux. The built-in linux firewalling (iptables) can be used in a variety of configurations so that one could even create a transparant firewall which did not require the changing of default gateways or other network routing information.

The University does not deploy such a central firewall because of the fundamental problem that a single firewall can not be all things to such a large and diverse group of users. However, for a single department, a research group or a handful of servers where the usage was fairly homogenous, a hardware based firewall may be a good option.

For more information about the Pix 500 series firewalls, the following web page.