Re: Preparing for Default Deny Firewall

["Brawner, David" <dbrawner () MARYVILLE EDU>]

Good luck to you on your "conversion".  We did this about 3 years ago
and we couldn't be happier (from a security perspective).  When we hear
about new viruses and vulnerabilities, we are able to sleep better
knowing that most of the new vulnerabilities use ports that we have
closed by default.

If you have a packet shaper or other network monitoring tool, I would
recommend running it for a couple of days to see what kind of traffic
your generating and then use that as your base guideline.  If you can't
do that, then I would suggest the following list (from our N/C
firewall):

DNS TCP/UDP
HTTP TCP
HTTPS TCP
POP3
SMTP
FTP (20 & 21)
RealAudio
RSTP
Telnet
MSN Messenger
AIM
Yahoo Messenger

Also be aware that some websites use other ports for standard HTTP
traffic (8000, 8080, 9000, etc.), so be ready to make adjustments as
needed.  You will probably have about 3-6 months of "tweaking" as your
various departments report applications and special websites that they
forgot to tell you about at the beginning.

To answer your question about approving new port requests, we funnel all
of those requests through our help desk.  They take down the information
(port number, purpose, user info, etc.) and pass it on to our networking
group.  They perform an investigation to see what other "unsafe"
services or vulnerabilities also use the requested port and they try to
make the filter as restrictive as possible (a small range of clients
internally or just one server externally if possible).  If they find any
problem with the port, we deny the request.

I would recommend that you update your router ACL lists as well.  We
have a generally open ACL list internally except for PING which we deny.
If your ACL is at the edge of your network and you do not need to pass
NetBIOS information or other SLP-type information, you can be more
restrictive.

Again, good luck and I hope it all goes well!

David S. Brawner
Manager of Network & User Services
Maryville University of Saint Louis
(314) 529-9431

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cary, Kim
Sent: Tuesday, February 01, 2005 10:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Preparing for Default Deny Firewall

We will shortly be going to an default-deny firewall (inbound only) here
(8000 students 1000 staff, 7 campuses on a WAN).

For those of you that have such a situation, I would appreciate any tips
you have for:
1. Moving from block known bad to permit known good inbound posture.
2. Procedures you have to processing & approving exceptions for new or
changed services.

For those of you that decided against this type of firewall, I think our
implementation would be informed of some things to look out for by
hearing from you about your issues that prevent you from going to this
position.

We also are in receipt of a recommendation that states our router ACLs
should also be default deny. Any tips/comments on that recommendation
would be welcome as well.

Kim Cary
Infrastructure Security Administrator
Pepperdine University
310 506 6655

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.