0
astronomer 
0 pts. | May 4 2005 6:42PM GMT
My experience is that policies vary widely depending on the organization.
In the intel early access services lab we tightly controlled what could go where. The only thing we had open that bothered me was FTP to the shared net. When ISS came in to evaluate our setup they were surprised that we knew precisely what we were allowing. They said it was common for them to set up an environment like ours and have security gradually deteriorate until the net was mostly open within a few years.
The situation is entirely different at the college I work at now. They didn’t have a firewall before I came. I have characterized my firewall ruleset as swiss cheese. On the other hand, I try to limit as tightly as possible what each rule allows. For example, one client uses net meeting to a server in the state government. I opened all of the required ports between just those two specific addresses. Until we had an FTP proxy I refused to open the required ports except to specific external addresses. When we got the proxy running, these rules were all removed. We are in the process of moving public services to a DMZ. All incoming email and proxied web access goes thru a virus/spam scanner. Given my choice, I would use a different brand of virus scanner on the clients and servers.
On the inside, I plan on partitioning up the network so each group can reach the central servers and the internet but not each other.
Given our budget, we will have all of the servers on a single subnet and limit access with active directory. This clearly isn’t optimal but this is the best we can do under current budget constraints.
As best we can, we limit directory and file access to just what people need. This is done using active directory permissions.
rt
