Firewall Wizards mailing list archives
Re: Firewall best practices
From: Jason Lewis <jlewis () packetnexus com>
Date: Wed, 14 Apr 2010 09:10:36 -0400
While I believe the only allow what you need is a good rule, it's impossible to enforce in a lot of scenarios. How many small businesses have no firewall admins and do the configuration themselves? Do you think they are going to spend the time examining what ports should be open based on what their users are using? No, they will open ports until it works. Last time I checked every linksys router comes with allow all outbound by default. How many people change that? The point of my question was if you're forced into a position to open everything, what ports *should* you always block and why. The response below doesn't help that IT guy with no experience or time to research everything. For example, blocking SMB and NT RPC inbound and outbound should be a high priority. Ports 135,137-139, 445. A lot of worms are propagated via these ports and when you attempt to do DNS lookups, windows will also try to connect outbound via SMB. I had hoped someone had already put this info on the web somewhere, but I have yet to find it. Marcus's thoughts on default permit are here: http://www.ranum.com/security/computer_security/editorials/dumb/index.html Again, I agree with the thoughts, but for a hardware vendor selling to a home user or a SMB, it's never going to happen. The user wants to buy a device, plug it in and have it work. They don't want to spend time configuring things. That's reality, default deny is a dream. jas On Tue, Apr 13, 2010 at 3:51 PM, Anton Chuvakin <anton () chuvakin org> wrote:
All,This is easy..... Block List: ALL Allow List: Only what you need and can trustCan somebody dig into the list archives and see how many times this question was asked for the last...mmm...10 years? God, this is 2010, why do people still ask for a list of "baddy ports to block?" Marcus, please come out of hibernation and rant!!! Or - better - copy your rant from..mmm...1992? :-) -- Dr. Anton Chuvakin Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org LinkedIn: http://www.linkedin.com/in/chuvakin Consulting: http://www.securitywarriorconsulting.com Twitter: @anton_chuvakin Google Voice: +1-510-771-7106 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices R. DuFresne (Apr 13)
- <Possible follow-ups>
- Re: Firewall best practices Anton Chuvakin (Apr 14)
- Re: Firewall best practices Jason Lewis (Apr 14)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Paul D. Robertson (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Jason Lewis (Apr 14)
- Re: Firewall best practices John Morrison (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Marcus J. Ranum (Apr 15)
- Re: Firewall best practices Morty (Apr 16)
- Re: Firewall best practices Darden, Patrick S. (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 22)