Firewall Wizards mailing list archives
Re: Firewall best practices
From: "Darden, Patrick S." <darden () armc org>
Date: Mon, 19 Apr 2010 07:52:55 -0400
Good point. I fight against EVERYTHING. :-) However, if a connection has distinct endpoints, and uses an encrypted protocol (ssh, ssl, ipsec) then I fight with less energy. We have a VMZ here which helps--a sandbox that we put vendor supplied systems that do not follow our best practices. We firewall them out of the network, allow only limited access, and stipulate the vendor is responsible for security for their system. I think you have to seek the truth of whether the service is needed or just desired, and then balance security vs. utility. --p -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Morty Sent: Friday, April 16, 2010 12:41 AM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Firewall best practices On Wed, Apr 14, 2010 at 09:10:36AM -0400, Jason Lewis wrote:
The point of my question was if you're forced into a position to open everything, what ports *should* you always block and why.
Or less controversially, suppose you *do* have a default deny, and you get requests to allow point-to-point dataflows (inbound or outbound) and/or completely open select ports outbound. Which ports/services should you fight back on or recommend alternatives? As a general rule, I fight back on protocols that do unencrypted auth and/or are intended for local LAN use and/or are very attractive to malware authors. Examples: FTP, telnet, SMTP, portmap, 135, 137, 138, 139, 445, 1433, NFS, IRC. If you have IDS, your perspective might change because crypto-enabled ports cause you to lose insight. - Morty _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices R. DuFresne (Apr 13)
- <Possible follow-ups>
- Re: Firewall best practices Anton Chuvakin (Apr 14)
- Re: Firewall best practices Jason Lewis (Apr 14)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Paul D. Robertson (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Jason Lewis (Apr 14)
- Re: Firewall best practices John Morrison (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Marcus J. Ranum (Apr 15)
- Re: Firewall best practices Morty (Apr 16)
- Re: Firewall best practices Darden, Patrick S. (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 23)
- Re: Firewall best practices Marcus J. Ranum (Apr 26)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices david (Apr 26)
- Re: Firewall best practices John Morrison (Apr 27)
- Re: Firewall best practices Harrell, Matthew (Apr 27)
- Re: Firewall best practices Marcus J. Ranum (Apr 27)