Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Permissive Firewall Policy

From: Tim Shea <tim () tshea net>
Date: Sat, 23 Sep 2006 22:07:05 -0500

I am assuming outbound access.  If its inbound - then I am not sure  
what to say except game over.

Over the last 6 month period I moved the organization I am presently  
at from a "permissive" firewall policy to a "restrictive" firewall  
policy, web caching servers, and removed the internet firewall as the  
default gateway.  Here is the problems it helped mitigate:

a) firewalls were no longer going downtime due to compromised  
machines on the internal network attempting to DOS external victims
b) compromised machines on the internal network could no longer get  
their marching orders via their control channels
c) unauthorized software had a much more difficult time working (i.e.  
P2P, etc)
d) For every new virus or malware we are not in a reactive mode of  
'blocking the bad port'
e) Improved auditing to help in internal investigations

Point D is the most valid point.  Any port can be a "bad" port  
depending on the application.  Your move will only generate more work  
and more problems for the organization as you are moving from a  
proactive mode to a reactive mode.  And you have to ask yourself why  
this is being requested?   Questions I would automatically ask are:

1) What is the business driver?
2) Is it because some applications aren't "working" because of the  
firewall?
3) Is the organization responsible for the firewalls not responsive  
enough for dealing with item 2?
4) Who is driving it and what is their agenda?
5) What game application a vice president is trying to play that is  
breaking due to the firewall?

This is an education opportunity and you are doing the right thing by  
asking for evidence.  I got a lot of heat for restricting access but  
I sold it as improving stability (sometimes security just doesn't  
sell so you have to look for another touch point).  In addition - in  
a lot of industries - a 'permissive' firewall policy will run afoul  
of regulators and auditors.  Use them - they can be your friends.



On Sep 21, 2006, at 9:45 AM, Kevin Hinze wrote:


New to the list, so hope this has not already been covered numerous  
times.

I have been asked to move from a restrictive policy of only allowed/ 
permitted ports are allowed through the Firewall to a permissive  
policy of deny known “bad” port/protocols and allow all else.  Does  
anyone have lists, bookmarks or the like to show a list of known  
“bad” ports?  I believe this is a bad idea but need some  
information to prove how difficult it will be to manage.

Thanks in advance,

Kevin Hinze


-- 
Good judgment comes with experience. Unfortunately, the experience
usually comes from bad judgment.
___________________________________________________________________
Kevin Hinze                       mailto:kevin.hinze () navigators org
Intranet Systems Engineer                     The Navigators

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: