Re: Firewall best practices

["Darden, Patrick S." <darden () armc org>]

No offense, but this list is "firewall wizards", not "I don't have time
to do a good job of being a firewall admin".  I believe the responses
you have gotten are appropriate and expert.

Furthermore, what you are asking for *really and truly* destroys the
fundamental nature of a firewall system.  You cannot have a secure
system using a default of allow--all you can do is fool yourself.

Default: allow.  Fundamentally insecure.  Quicksand upon which no sound
edifice can be built.
Default: deny.  Fundamentally secure.  A solid foundation upon which to
build.

This is not just for a "Firewall" but for all network security policy.
E.g. a server should by default have all services turned off--you should
only turn on the ones you need.  E.g. a remote access switch should not
allow everyone to log in except a few people, it should disallow
everyone except the ones you turn on specifically.  E.g. a core router
should not allow all users to act as admins--except for Bob and Alice
because everyone knows they are untrustworthy....

You may think these are ridiculous examples--and they are.  But they
illustrate just how ridiculous experts find your default:allow policy
for firewalls to be.

Back in 1997 default:allow was the standard.  But it just didn't work.
And the internet has grown a lot less friendly since then.

If you want a list of ports that are untrustworthy and should not be
used because exploits exist that can make use of them, I can give you
one:

0--65535

Please take my message as tongue in cheek, instead of being mean--humor
doesn't always translate.

--Patrick Darden



-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
Jason Lewis
Sent: Wednesday, April 14, 2010 9:11 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewall best practices

While I believe the only allow what you need is a good rule, it's
impossible to enforce in a lot of scenarios.  How many small businesses
have no firewall admins and do the configuration themselves?  Do you
think they are going to spend the time examining what ports should be
open based on what their users are using?  No, they will open ports
until it works.  Last time I checked every linksys router comes with
allow all outbound by default.  How many people change that?

The point of my question was if you're forced into a position to open
everything, what ports *should* you always block and why.  The response
below doesn't help that IT guy with no experience or time to research
everything.

For example,  blocking SMB and NT RPC inbound and outbound should be a
high priority.  Ports 135,137-139, 445.  A lot of worms are propagated
via these ports and when you attempt to do DNS lookups, windows will
also try to connect outbound via SMB.  I had hoped someone had already
put this info on the web somewhere, but I have yet to find it.

Marcus's thoughts on default permit are here:
http://www.ranum.com/security/computer_security/editorials/dumb/index.ht
ml
 Again, I agree with the thoughts, but for a hardware vendor selling to
a home user or a SMB, it's never going to happen.  The user wants to buy
a device, plug it in and have it work.  They don't want to spend time
configuring things.  That's reality, default deny is a dream.

jas
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards