ISS feels it is unacceptable to apply user defined Access Control Lists on the routers to enhance the protection of our networks. So I have installed a GTA GB-1000 stateful packet inspection and application firewall appliance between our networks and the Cisco 7206 router at the Virginia Campus Building 1, and a GB-1000 between our networks and the Juniper M20 router at Building 2.
This page explains the routing and firewall setup, so network users can understand what is going to be blocked and what is going to be passed by the firewall. Our firewalling isn't a panacea for security, but we are trying to protect hosts from common automated threats, as well as protect the rest of the Internet from misbehaving hosts at the Virginia Campus.
Important information for each firewall can be in the GB-1k-b1 section and the GB-1k-b2 section.
In response to hightened risk of certain kinds of connectivity, the following is the guideline for egress filtering on my firewalls.
There are two kinds of Remote Access. Authenticated User access which is accomplished by running the GBAuth utility and authenticating your IP address to the firewall with your identity and password, and VPN User access which is accomplished by creating an IPSec tunnel to the firewall after authenticating.
Authenticated Users are granted access to more services on the networks behind the Virginia Campus firewall, such as to the floating license server.
The current cross-platform authentication client is GBAuth-101.
VPN Users are able to reach additional private services, such as the printer networks, as well as insure the confidentiality and integretity of their communication with the Virginia Campus networks.
At this time access via either method must be requested. Plans are in place to make it easier to obtain access.
All unauthenticated systems are treated as any Internet host is, and only permitted to access public services.