Firewall Wizards mailing list archives
Re: Permissive Firewall Policy
From: Tim Shea <tim () tshea net>
Date: Sat, 23 Sep 2006 22:07:05 -0500
I am assuming outbound access. If its inbound - then I am not sure what to say except game over. Over the last 6 month period I moved the organization I am presently at from a "permissive" firewall policy to a "restrictive" firewall policy, web caching servers, and removed the internet firewall as the default gateway. Here is the problems it helped mitigate: a) firewalls were no longer going downtime due to compromised machines on the internal network attempting to DOS external victims b) compromised machines on the internal network could no longer get their marching orders via their control channels c) unauthorized software had a much more difficult time working (i.e. P2P, etc) d) For every new virus or malware we are not in a reactive mode of 'blocking the bad port' e) Improved auditing to help in internal investigations Point D is the most valid point. Any port can be a "bad" port depending on the application. Your move will only generate more work and more problems for the organization as you are moving from a proactive mode to a reactive mode. And you have to ask yourself why this is being requested? Questions I would automatically ask are: 1) What is the business driver? 2) Is it because some applications aren't "working" because of the firewall? 3) Is the organization responsible for the firewalls not responsive enough for dealing with item 2? 4) Who is driving it and what is their agenda? 5) What game application a vice president is trying to play that is breaking due to the firewall? This is an education opportunity and you are doing the right thing by asking for evidence. I got a lot of heat for restricting access but I sold it as improving stability (sometimes security just doesn't sell so you have to look for another touch point). In addition - in a lot of industries - a 'permissive' firewall policy will run afoul of regulators and auditors. Use them - they can be your friends. On Sep 21, 2006, at 9:45 AM, Kevin Hinze wrote:
New to the list, so hope this has not already been covered numerous times. I have been asked to move from a restrictive policy of only allowed/ permitted ports are allowed through the Firewall to a permissive policy of deny known “bad” port/protocols and allow all else. Does anyone have lists, bookmarks or the like to show a list of known “bad” ports? I believe this is a bad idea but need some information to prove how difficult it will be to manage. Thanks in advance, Kevin Hinze -- Good judgment comes with experience. Unfortunately, the experience usually comes from bad judgment. ___________________________________________________________________ Kevin Hinze mailto:kevin.hinze () navigators org Intranet Systems Engineer The Navigators _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Permissive Firewall Policy Kevin Hinze (Sep 22)
- Re: Permissive Firewall Policy Marcus J. Ranum (Sep 23)
- Re: Permissive Firewall Policy ArkanoiD (Sep 23)
- Re: Permissive Firewall Policy Scott C. Kennedy (Sep 23)
- Re: Permissive Firewall Policy Anton Chuvakin (Sep 25)
- Re: Permissive Firewall Policy J. Oquendo (Sep 25)
- Re: Permissive Firewall Policy Kevin (Sep 23)
- Re: Permissive Firewall Policy Devdas Bhagat (Sep 23)
- Re: Permissive Firewall Policy Tim Shea (Sep 23)
- <Possible follow-ups>
- Re: Permissive Firewall Policy Fetch, Brandon (Sep 23)
- Re: Permissive Firewall Policy Marcus J. Ranum (Sep 23)