Firewall Wizards mailing list archives

Re: Firewall best practices

From: "Darden, Patrick S." <darden () armc org>
Date: Thu, 15 Apr 2010 09:56:27 -0400

One other point I always like to make--for outgoing traffic, if you use default:deny you do your part to stop a lot of 
attacks that use forged IP.  Your network, at least, will not be a source.  E.g.

Outgoing Packets
Default: deny all SIP, allow only your assigned IP space, only ports X,Y,Z,P,D,Q.

Of course it is even better when you mate an SIP and a port (e.g. smtp to/from your smtp gateway/server).

--p


On 14 April 2010 14:10, Jason Lewis <jlewis () packetnexus com> wrote:

While I believe the only allow what you need is a good rule, it's 
impossible to enforce in a lot of scenarios.  How many small 
businesses have no firewall admins and do the configuration 
themselves?  Do you think they are going to spend the time examining 
what ports should be open based on what their users are using?  No, 
they will open ports until it works.  Last time I checked every 
linksys router comes with allow all outbound by default.  How many 
people change that?

The point of my question was if you're forced into a position to open 
everything, what ports *should* you always block and why.  The 
response below doesn't help that IT guy with no experience or time to 
research everything.

For example,  blocking SMB and NT RPC inbound and outbound should be a 
high priority.  Ports 135,137-139, 445.  A lot of worms are propagated 
via these ports and when you attempt to do DNS lookups, windows will 
also try to connect outbound via SMB.  I had hoped someone had already 
put this info on the web somewhere, but I have yet to find it.

Marcus's thoughts on default permit are here:
http://www.ranum.com/security/computer_security/editorials/dumb/index.
html
 Again, I agree with the thoughts, but for a hardware vendor selling 
to a home user or a SMB, it's never going to happen.  The user wants 
to buy a device, plug it in and have it work.  They don't want to 
spend time configuring things.  That's reality, default deny is a 
dream.

jas

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall best practices R. DuFresne (Apr 13)
- <Possible follow-ups>
- Re: Firewall best practices Anton Chuvakin (Apr 14)
  - Re: Firewall best practices Jason Lewis (Apr 14)
    - Re: Firewall best practices Darden, Patrick S. (Apr 15)
    - Re: Firewall best practices Paul D. Robertson (Apr 15)
    - Re: Firewall best practices Darden, Patrick S. (Apr 15)
    - Re: Firewall best practices John Morrison (Apr 15)
    - Re: Firewall best practices Darden, Patrick S. (Apr 15)
    - Re: Firewall best practices Marcus J. Ranum (Apr 15)
    - Re: Firewall best practices Morty (Apr 16)
    - Re: Firewall best practices Darden, Patrick S. (Apr 22)
    - Re: Firewall best practices Martin Barry (Apr 22)
    - Re: Firewall best practices Marcus J. Ranum (Apr 22)
    - Re: Firewall best practices Martin Barry (Apr 23)
    - Re: Firewall best practices Marcus J. Ranum (Apr 26)
    - Re: Firewall best practices Carson Gaspar (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices david (Apr 26)

(Thread continues...)