Firewalls and all that (was Re: SECURITY Digest - 23 Sep 2005 to 26 Sep 2005 (#2005-176)

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Wed, 28 Sep 2005 09:21:27 EDT, "Scholz, Greg" said:
> Unless I am missing the point somewhere, wouldn't a "default deny"
> inbound help to alleviate this?

Last I looked, it was mostly .edu's here.  Maybe you've got a different
environment there where you can politically get away with cramming a "default
deny" down the user's throats, but a lot of us have to act more like ISPs
than like corporations.

Another potential land mine is whether, by conducting aggressive filtering to
block X, Y, and Z, you become liable if you happen to let something slip
through by accident (although this is more an issue regarding copyright
violations and porn-spam-causing-a-hostile-workplace and similar scenarios).
I'd not want to be the poster child for *that* case. ;)

> Not to push us to a political discussion but someone else mentioned ...

That was me..

> "until we get to the point of only allowing ports 80 and 443"...that is
> pretty much default deny in my book.

Right.  And having denied everything but 80/443, how do you deal with the fact
that you now have to do deep packet inspection, and possibly nasty MITM tricks,
to sort out "real" HTTP/HTTPS versus "something layered on it, possibly even with
an XML encapsulation, just because that port is open"?

> I am spending much of my time on campus discussing what default inbound
> deny really means to gain support and as I gain that support, protecting
> the areas that I can.  So far I find that most faculty and staff are
> shocked when I explain to them in non-technical terms what a default
> permit allows (the bad stuff) and what a default deny could protect them
> from.  So far I have had solid support on a dept by dept basis.

Do you also make clear that "default deny" means that they have to come and
beg permission each time they want to use a new application/protocol that isn't on
your "approved" list, and that it makes you, not them, the ultimate authority
on what they can do with their own machines? (This gets particularly hairy
if you have resident students on campus, who have machines that are not owned
by the institution).  Also, remember that it only takes one important and/or
vocal department chair yelling "But you never told us *THAT* part!" to make
life really challenging from that moment on.

Attachment: _bin
Description: