Educause Security Discussion mailing list archives
Re: Preparing for Default Deny Firewall
From: "Brawner, David" <dbrawner () MARYVILLE EDU>
Date: Tue, 1 Feb 2005 11:27:41 -0600
Good luck to you on your "conversion". We did this about 3 years ago and we couldn't be happier (from a security perspective). When we hear about new viruses and vulnerabilities, we are able to sleep better knowing that most of the new vulnerabilities use ports that we have closed by default. If you have a packet shaper or other network monitoring tool, I would recommend running it for a couple of days to see what kind of traffic your generating and then use that as your base guideline. If you can't do that, then I would suggest the following list (from our N/C firewall): DNS TCP/UDP HTTP TCP HTTPS TCP POP3 SMTP FTP (20 & 21) RealAudio RSTP Telnet MSN Messenger AIM Yahoo Messenger Also be aware that some websites use other ports for standard HTTP traffic (8000, 8080, 9000, etc.), so be ready to make adjustments as needed. You will probably have about 3-6 months of "tweaking" as your various departments report applications and special websites that they forgot to tell you about at the beginning. To answer your question about approving new port requests, we funnel all of those requests through our help desk. They take down the information (port number, purpose, user info, etc.) and pass it on to our networking group. They perform an investigation to see what other "unsafe" services or vulnerabilities also use the requested port and they try to make the filter as restrictive as possible (a small range of clients internally or just one server externally if possible). If they find any problem with the port, we deny the request. I would recommend that you update your router ACL lists as well. We have a generally open ACL list internally except for PING which we deny. If your ACL is at the edge of your network and you do not need to pass NetBIOS information or other SLP-type information, you can be more restrictive. Again, good luck and I hope it all goes well! David S. Brawner Manager of Network & User Services Maryville University of Saint Louis (314) 529-9431 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cary, Kim Sent: Tuesday, February 01, 2005 10:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Preparing for Default Deny Firewall We will shortly be going to an default-deny firewall (inbound only) here (8000 students 1000 staff, 7 campuses on a WAN). For those of you that have such a situation, I would appreciate any tips you have for: 1. Moving from block known bad to permit known good inbound posture. 2. Procedures you have to processing & approving exceptions for new or changed services. For those of you that decided against this type of firewall, I think our implementation would be informed of some things to look out for by hearing from you about your issues that prevent you from going to this position. We also are in receipt of a recommendation that states our router ACLs should also be default deny. Any tips/comments on that recommendation would be welcome as well. Kim Cary Infrastructure Security Administrator Pepperdine University 310 506 6655 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Preparing for Default Deny Firewall Cary, Kim (Feb 01)
- <Possible follow-ups>
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Arturo Servin (Feb 01)
- Re: Preparing for Default Deny Firewall Scholz, Greg (Feb 01)
- Re: Preparing for Default Deny Firewall Brawner, David (Feb 01)
- Re: Preparing for Default Deny Firewall John Kristoff (Feb 01)
- Re: Preparing for Default Deny Firewall Yantis, Jonathan Lindsey (Feb 01)
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Jeff Kell (Feb 01)