Educause Security Discussion mailing list archives

Re: Firewall Strategies

From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Mon, 6 Feb 2006 14:51:52 -0600

Valdis Kletnieks wrote:

Two notes for those playing along at home:

1) Please do *egress* filtering as well - you shouldn't be emitting packets
from reserved or rfc1918 addresses into the Internet at large.  This is particularly
important for those of you who NAT their entire campus address space.


In addition to filtering RFC1918 addresses, I'd suggest also using
egress filtering to remove packets coming from publicly routable
addresses that aren't yours.  There are various arguments for and
against doing this (e.g., it's good because it prevents your site from
ever being used as a spoofed-source DoS generator, but it's bad because
it might cause your border router to kill itself trying to filter out
packets).  In other words, your border router should drop traffic
arriving on its internal interface that has a source address not
belonging to you.  (On a related note, your border router should also
drop traffic arriving on its external interface that *does* have a
source address belonging to you.)

If available in your infrastructure, something like RPF might be useful,
too.

2) The first ports to filter are the nasty ones that *DO* have function inside
the network, but shouldn't be seeing much access from outside (135-139 come
to mind....)


Absolutely!  I think it also makes sense to block things like

    * TCP "small services" (e.g., echo, chargen, etc.)

    * Universal Plug-n-Pray (1900/udp and 5000/tcp?)

    * Various UDP services whose purposes are usually
      "internal use only", e.g.:

       - syslog (514/udp)
       - bootp/dhcp (67/udp and 68/udp)
       - tftp (69/udp)
       - snmp (161/udp and 162/udp)

    * Various protocols which probably don't need to be
      used across your border, e.g.,the portmapper
      (111/tcp,udp), NFS (2049/tcp,udp), etc.

    * Possibly other services which you might have widely
      deployed but which don't ever need to be accessed
      externally, e.g., Backup Exec (10000/tcp,udp)


This list can get excruciatingly long and I don't think a "one size fits
all" version exists.  It might be worth your time to sit on a span of
your border for a while (or use flow data, if you have that available)
and watch exactly what goes across your border.  That's probably the
best way to determine exactly what services are in use and what effect
you might have if you block them.


--
Alan Amesbury
University of Minnesota

Current thread:

Firewall Strategies James Meyers (Feb 03)
- <Possible follow-ups>
- Re: Firewall Strategies Gary Flynn (Feb 03)
- Re: Firewall Strategies Dave Koontz (Feb 04)
- Re: Firewall Strategies Mark Bauer (Feb 04)
- Re: Firewall Strategies Christian Wilson (Feb 06)
- Re: Firewall Strategies Valdis Kletnieks (Feb 06)
- Re: Firewall Strategies Alan Amesbury (Feb 06)
- Re: Firewall Strategies Richard Hopkins (Feb 10)