Educause Security Discussion mailing list archives
Re: Firewall Strategies
From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Mon, 6 Feb 2006 14:51:52 -0600
Valdis Kletnieks wrote:
Two notes for those playing along at home: 1) Please do *egress* filtering as well - you shouldn't be emitting packets from reserved or rfc1918 addresses into the Internet at large. This is particularly important for those of you who NAT their entire campus address space.
In addition to filtering RFC1918 addresses, I'd suggest also using egress filtering to remove packets coming from publicly routable addresses that aren't yours. There are various arguments for and against doing this (e.g., it's good because it prevents your site from ever being used as a spoofed-source DoS generator, but it's bad because it might cause your border router to kill itself trying to filter out packets). In other words, your border router should drop traffic arriving on its internal interface that has a source address not belonging to you. (On a related note, your border router should also drop traffic arriving on its external interface that *does* have a source address belonging to you.) If available in your infrastructure, something like RPF might be useful, too.
2) The first ports to filter are the nasty ones that *DO* have function inside the network, but shouldn't be seeing much access from outside (135-139 come to mind....)
Absolutely! I think it also makes sense to block things like * TCP "small services" (e.g., echo, chargen, etc.) * Universal Plug-n-Pray (1900/udp and 5000/tcp?) * Various UDP services whose purposes are usually "internal use only", e.g.: - syslog (514/udp) - bootp/dhcp (67/udp and 68/udp) - tftp (69/udp) - snmp (161/udp and 162/udp) * Various protocols which probably don't need to be used across your border, e.g.,the portmapper (111/tcp,udp), NFS (2049/tcp,udp), etc. * Possibly other services which you might have widely deployed but which don't ever need to be accessed externally, e.g., Backup Exec (10000/tcp,udp) This list can get excruciatingly long and I don't think a "one size fits all" version exists. It might be worth your time to sit on a span of your border for a while (or use flow data, if you have that available) and watch exactly what goes across your border. That's probably the best way to determine exactly what services are in use and what effect you might have if you block them. -- Alan Amesbury University of Minnesota
Current thread:
- Firewall Strategies James Meyers (Feb 03)
- <Possible follow-ups>
- Re: Firewall Strategies Gary Flynn (Feb 03)
- Re: Firewall Strategies Dave Koontz (Feb 04)
- Re: Firewall Strategies Mark Bauer (Feb 04)
- Re: Firewall Strategies Christian Wilson (Feb 06)
- Re: Firewall Strategies Valdis Kletnieks (Feb 06)
- Re: Firewall Strategies Alan Amesbury (Feb 06)
- Re: Firewall Strategies Richard Hopkins (Feb 10)