Re: Permissive Firewall Policy

[Kevin <kkadow () gmail com>]

On 9/21/06, Kevin Hinze <kevin.hinze () navigators org> wrote:
>  New to the list, so hope this has not already been covered numerous times.

I don't think anybody has posted anything nearly this silly ever
before, I will give you the benefit of the doubt and assume from how
you phrase the question that it isn't your idea.


>  I have been asked to move from a restrictive policy of only
> allowed/permitted ports are allowed through the Firewall to a permissive
> policy of deny known "bad" port/protocols and allow all else.  Does anyone
> have lists, bookmarks or the like to show a list of known "bad" ports?

There are several lists of known ports used by exploits and malware,
or you could just take the list of permitted destination ports in the
default Squid configuration and "invert" it.


>  I believe this is a bad idea
> but need some information to prove how difficult
> it will be to manage.

I don't know that it will be difficult to manage, but it will
definitely be difficult to demonstrate effectiveness.  Just about any
TCP or UDP port can carry a "bad" protocol, many dangerous
applications are port-agile, so blocking specific ports won't do much
to stop the communications.

You could be better off just forgetting about writing IP filter rules
and instead use an IPS product to block all known bad protocols and
transactions?

Kevin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards