Firewall Wizards mailing list archives
Re: Firewall best practices
From: Dave Piscitello <dave () corecom com>
Date: Mon, 19 Apr 2010 11:57:59 -0400
Jason Lewis wrote:
While I believe the only allow what you need is a good rule, it's impossible to enforce in a lot of scenarios. How many small businesses have no firewall admins and do the configuration themselves? Do you think they are going to spend the time examining what ports should be open based on what their users are using? No, they will open ports until it works. Last time I checked every linksys router comes with allow all outbound by default. How many people change that?
This is laziness on the part of commodity router/firewall vendors. Some of us are old enough to recall configuration "wizards" on dialup and ISDN routers (ACC, Livingston, Compatible Systems...). The wizards asked "what applications do you want to run?" This is known art, not rocket science. While the application mix is much broader today than 1995, it is still possible to give even residential users enough context to make an informed choice.
The point of my question was if you're forced into a position to open everything, what ports *should* you always block and why. The response below doesn't help that IT guy with no experience or time to research everything.
There is no definitive list. Lots of badness exits networks via mail and web ports, should you block these? Any list you come up with will be long, and long is complex, and complex is "fail" for residential and SMB.
For example, blocking SMB and NT RPC inbound and outbound should be a high priority. Ports 135,137-139, 445. A lot of worms are propagated via these ports and when you attempt to do DNS lookups, windows will also try to connect outbound via SMB. I had hoped someone had already put this info on the web somewhere, but I have yet to find it.
If you haven't found this yet, you aren't looking in the right places (and I don't mean to sound mean). I searched "block port 445 at firewall" (www.grc.com/port_445.htm) and "block port 445 linksys" (http://forums.cabling-design.com/xdsl/Netopia-3500-LinkSys-Port-135-and-445-in-Log-Files-1034-.htm)
Marcus's thoughts on default permit are here: http://www.ranum.com/security/computer_security/editorials/dumb/index.html Again, I agree with the thoughts, but for a hardware vendor selling to a home user or a SMB, it's never going to happen. The user wants to buy a device, plug it in and have it work. They don't want to spend time configuring things. That's reality, default deny is a dream.
I suspect we will have to agree to disagree here. Default deny is an imperative.
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices, (continued)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices Fetch, Brandon (Apr 27)
- Re: Firewall best practices lordchariot (Apr 28)
- Re: Firewall best practices Bruce B. Platt (Apr 30)
- Re: Firewall best practices Cian Brennan (Apr 28)
- Re: Firewall best practices Fetch, Brandon (Apr 28)
- Re: Firewall best practices Mathew Want (Apr 30)
- Re: Firewall best practices ArkanoiD (Apr 30)
- Re: Firewall best practices Marcus J. Ranum (Apr 30)
- Re: Firewall best practices ArkanoiD (Apr 27)
- Re: Firewall best practices Dave Piscitello (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 15)