[OPLINTECH] Firewall configuration question

Phil Shirley pshirley at cuyahogafallslibrary.org
Mon Jun 29 09:15:03 EDT 2015 

We allow outgoing traffic on only certain ports for everything on our 
network, including patrons' wireless devices. I open ports when people 
report problems getting to things that the firewall blocks, and I can't 
remember ever saying no, but I'm sure that some things go unreported. I 
would be very interested to know what other libraries do; I don't want 
to block things unnecessarily.

Phil

On 6/27/2015 11:40 AM, Chad Neeper wrote:
> Strictly talking about network perimeter firewalls here, not personal
> firewalls like Windows Firewall or the like:
>
> Network perimeter firewall configuration best practice suggests that
> blocking should occur in both directions by default, with exceptions
> being made as required. That means no network traffic INTO the
> network...AND no traffic OUT of the network without specific exceptions
> being made.
>
> By default, however, most SOHO and mid-level firewalls come configured
> to block all inbound traffic but PERMIT all outbound traffic. This is a
> much easier configuration for novice firewall admins to work with
> because it doesn't prevent LAN computers from doing anything at all that
> they care to do.
>
> On my own business network, I block all in and outbound traffic and make
> exceptions as required. However, I haven't implemented outbound blocking
> at any library yet. I'm considering it.
>
> If I do implement, I think I could only realistically do it for staff
> LANs. Those are the most controlled environments, with known
> applications doing known things.
>
> I don't think it would be wise to try to implement for patron computer
> LANs or for patron wifi though. There is just no way to know what
> exceptions to make for every use case. I could make exceptions to let
> Roblox or Minecraft work, but it would be a constant battle to keep up
> on all the latest popular software and their individual requirements.
>
> So my (first) question is simply this:  Do any of you currently block
> outbound network traffic on any segment of your LAN?
>
> Thanks,
> Chad
>
> ___________________________________
> Chad Neeper
> Senior Systems Engineer
>
> Level 9 Networks
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> Full IT/Computer consulting services -- Specialized in libraries and schools
>
>
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>

-- 
Phil Shirley
Technology Services Coordinator
Cuyahoga Falls Library
Cuyahoga Falls, Ohio
330-928-2117, ext. 109
pshirley at CuyahogaFallsLibrary.org

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the OPLINTECH mailing list