Re: Firewall best practices

[John Morrison <john.morrison101 () googlemail com>]

Ah. This puts a whole new slant on the question that was not made plain before.

However, it still depends on what you want to do. Below are some scenarios.

    1. You want the firewall to allow any application the purchaser
may use. This may be an existing application you are familiar with
(http, https, ftp); a less well known application (XNS Time Protocol);
a protocol you would not expect on a company network (Xbox360); a new
application that has not been written yet.

For this you would have to open every port. You should at least have
an application-aware firewall that can then check that the packets
conform with the protocols being used. For example, Cisco ASA can
check smtp, esmtp, http, dns, icmp, sip, etc. by using the inspect
<protocol> command. However, you should test this as in the past MS
Exchange has failed to comply with the esmtp protocol and was often
blocked.

    2. You could block those you don't think the purchaser will use.
For example, reserved/unassigned ports (0, 4, 6, 8, 10, 12, 14, 15,
16, 24, etc.)

This is very unlikely to block any applications the user has and is
also unlikely stop any attacks.

    3. You want to allow the most likely applications. For example,
block all in point 2 above plus Port Service Multiplexer, Remote Job
Entry, Quote of the Day, etc.

This is still unlikely to block any applications the user has and is
also unlikely stop any attacks.

    4. Block those that are often used by Trojans, etc. 1080 (Socks),
1433 & 1434 (MS SQL Server), 3389 (Remote Desktop Protocol) -
http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html;

Port 3389 is also used for remote access (Terminal Services). Do you
think this might be required? Or is it more important to protect
against the Trojans that use that port?


Alternatively
    5. If the "IT guy... [has]... no experience or time to research
everything." Then he must be an employee of the company - nobody would
contract the work to someone without the skills. Thus, the IT guy will
have access to the firewall. He could then buy one with good logging
and look at the messages to see what is blocked if an application
doesn't work. Then change the settings.

   6. Don't use a firewall. Instead use an IPS that, like AntiVirus
software, has signatures for known attacks and blocks only those as
they occur.


The most effective way to protect your systems is to keep them patched
up to date. See the SANS document published last September
(http://www.sans.org/top-cyber-security-risks/?ref=top20#summary)

On 14 April 2010 14:10, Jason Lewis <jlewis () packetnexus com> wrote:
> While I believe the only allow what you need is a good rule, it's
> impossible to enforce in a lot of scenarios.  How many small
> businesses have no firewall admins and do the configuration
> themselves?  Do you think they are going to spend the time examining
> what ports should be open based on what their users are using?  No,
> they will open ports until it works.  Last time I checked every
> linksys router comes with allow all outbound by default.  How many
> people change that?
>
> The point of my question was if you're forced into a position to open
> everything, what ports *should* you always block and why.  The
> response below doesn't help that IT guy with no experience or time to
> research everything.
>
> For example,  blocking SMB and NT RPC inbound and outbound should be a
> high priority.  Ports 135,137-139, 445.  A lot of worms are propagated
> via these ports and when you attempt to do DNS lookups, windows will
> also try to connect outbound via SMB.  I had hoped someone had already
> put this info on the web somewhere, but I have yet to find it.
>
> Marcus's thoughts on default permit are here:
> http://www.ranum.com/security/computer_security/editorials/dumb/index.html
>  Again, I agree with the thoughts, but for a hardware vendor selling
> to a home user or a SMB, it's never going to happen.  The user wants
> to buy a device, plug it in and have it work.  They don't want to
> spend time configuring things.  That's reality, default deny is a
> dream.
>
> jas
>
> On Tue, Apr 13, 2010 at 3:51 PM, Anton Chuvakin <anton () chuvakin org> wrote:
> > All,
> >
> > > This is easy.....
> > > Block List:             ALL
> > > Allow List:             Only what you need and can trust
> >
> > Can somebody dig into the list archives and see how many times this
> > question was asked for the last...mmm...10 years? God, this is 2010,
> > why do people still ask for a list of "baddy ports to block?"
> >
> > Marcus, please come out of hibernation and rant!!! Or - better - copy
> > your rant from..mmm...1992? :-)
> >
> > --
> > Dr. Anton Chuvakin
> > Site: http://www.chuvakin.org
> > Blog: http://www.securitywarrior.org
> > LinkedIn: http://www.linkedin.com/in/chuvakin
> > Consulting: http://www.securitywarriorconsulting.com
> > Twitter: @anton_chuvakin
> > Google Voice: +1-510-771-7106
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards