Firewall Wizards mailing list archives
Re: Benefit of firewall over NAT-only 'protected' network
From: Chuck Swiger <chuck () codefab com>
Date: Thu, 29 May 2003 16:40:40 -0400
Paul Robertson wrote:
On Wed, 28 May 2003, Hugh Blandford wrote:Please take into consideration that if they had a firewall, it would be setup to allow all outbound traffic and let the 'responses' back in. ThereThat's a silly and mostly specious pre-requisite. For instance, most small office users have *no* need for IRC, and given that IRC is *the* major control vector for trojaned machines, why the heck would you allow it outbound from a small office? Nuke 6667/tcp outbound and you decrease the chance of being owned rather significantly, and you break less than 1/2 of 1% of SOHO users.
Blocking outbound 6667/tcp doesn't decrease the risk of being owned in the sense of decreasing the chances that a machine will be compromised by a security exploit. Blocking outbound 6667/tcp may decrease the risk that a compromised machine will successfully contact an intruder with internal information like passwords (and thus reduce the chances of other machines being owned), and sure, it will help keep the machine from participating in DDoS attacks which use IRC as the control channel.
You shouldn't choose "basically no security policy, now what firewall fits?" any more than "Here's a firewall, now what policy should it support?"
Most users do just that. The problem is that Hugh's "pre-requisite"-- the assumption that a firewall should permit all outbound traffic and all responses to outbound traffic-- is the defacto policy for many firewall products.
Why?One significant reason is that users tend to believe that security is what applies to other people: "the firewall can block other people's connections, but heaven forbid that it block any connection I want to make". There's more I want to say here, but let me take it up in another thread.
If we don't try to do better, things won't get better.
By "we", who are you talking about? :-)I suspect that I'd be doing Paul an injustice to claim that he wasn't considering users as well as firewall-wizards in his remark, but it's worth remembering and repeating that "we" really ought to mean everybody. If you don't view your users as being active and willing participants in the security policy, your users will very probably respond by acting as active, *unwilling* participants.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Benefit of firewall over NAT-only 'protected' network, (continued)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Chuck Swiger (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 31)
- Re: Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Bill Royds (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network ark (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)