firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: DNS Names for external services (Jens Link)
2. Re: Firewall best practices (Marcus J. Ranum)
3. Re: Firewall best practices (Marcus J. Ranum)
4. Re: Firewall best practices (Darden, Patrick S.)
5. Re: Firewall best practices (Paul D. Robertson)
----------------------------------------------------------------------
Message: 1
Date: Thu, 15 Apr 2010 14:33:57 +0200
From: Jens Link <lists@quux.de>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <87eiig7v4a.fsf@bowmore.quux.de>
Content-Type: text/plain; charset=us-ascii
"Marcus J. Ranum" <mjr@ranum.com> writes:
> I guess the question is "what are you trying to accomplish?"
Increase your help desks workload? ;-)
cheers
Jens
--
-------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@guug.de | ------------------- |
-------------------------------------------------------------------------
------------------------------
Message: 2
Date: Thu, 15 Apr 2010 08:09:35 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BC7100F.4010700@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Jason Lewis wrote:
> While I believe the only allow what you need is a good rule, it's
> impossible to enforce in a lot of scenarios.
That's quite true. There's the ideal, and then there is the
reality. Sometimes they don't match up, and we're left with
only reality. As some wise wag once put it: "if wishes
were horses, even beggars would ride"
> How many small
> businesses have no firewall admins and do the configuration
> themselves?
Then they should expect less good results. That's the
trick. "Hey, given that I can only spend 10 minutes
on this, don't blame me when something goes wrong."
In this case the employee/security manager needs to
shift from trying to secure the perimeter to trying
to protect their job. Instead of analyzing which
ports are open, keep an eye on the job-market in your
area. Instead of mapping network connectivity, network
with your peers and look for a job in a place that
has better executive management. Remember the story
of the boy on the burning deck? There are actually
3 "take-aways" from it not 1; yes - 1) the boy was noble but
2) the boy died and 3) the ship sank anyway.
> Do you think they are going to spend the time examining
> what ports should be open based on what their users are using? No,
> they will open ports until it works.
And they'll eventually be hosting malware central.
You're completely correct; it's reality. The place
where unreality sets in is only when people do a
half-assed job and expect full-assed results.
> Last time I checked every
> linksys router comes with allow all outbound by default. How many
> people change that?
Only a few. They're called "the guys who don't get
hacked to pieces." The other guys are called "the
guys with conficker."
> The point of my question was if you're forced into a position to open
> everything, what ports *should* you always block and why.
You did the equivalent of asking for "the best recipe
for beef stroganoff for a man who has no beef."
> The
> response below doesn't help that IT guy with no experience or time to
> research everything.
Nothing can help him. He's screwed. He should spend
his time on other things like keeping his resume up
to date, playing office politics to get promoted, and
day-trading stock to make as much money as he can
so that he can retire early. I like this "let's be
pragmatic" stuff! :D
> They don't want to
> spend time configuring things. That's reality, default deny is a
> dream.
For them, "security" is also a dream. The problem is
merely one of "how do I avoid having to listen to them
complain when they get pwnz0red?" rather than "how do
I secure the network."
See? Pragmatism is mostly a matter of picking what
problem you're really trying to solve.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 3
Date: Thu, 15 Apr 2010 08:17:08 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4BC711D4.1020101@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
MILAN, SANDY (ATTSI) wrote:
> We need to continue to allow these types of questions so
> that the next generations of security professionals are
> educated by those in the know.
That's why some of us have answered those same questions
a thousand times. They are important questions, and we
respect them. On the flip side, each time we do, we confront
how little progress information security has made in the
course of all these years. And thus, new curmudgeons are
minted to replace the old ones as they retire, move into
academia, or explode in frustration.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 4
Date: Thu, 15 Apr 2010 09:56:27 -0400
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] Firewall best practices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE107524040E7881@EX2K3.armc.org>
Content-Type: text/plain; charset="iso-8859-1"
One other point I always like to make--for outgoing traffic, if you use default:deny you do your part to stop a lot of attacks that use forged IP. Your network, at least, will not be a source. E.g.
Outgoing Packets
Default: deny all SIP, allow only your assigned IP space, only ports X,Y,Z,P,D,Q.
Of course it is even better when you mate an SIP and a port (e.g. smtp to/from your smtp gateway/server).
--p
On 14 April 2010 14:10, Jason Lewis <jlewis@packetnexus.com> wrote:
> While I believe the only allow what you need is a good rule, it's
> impossible to enforce in a lot of scenarios. ?How many small
> businesses have no firewall admins and do the configuration
> themselves? ?Do you think they are going to spend the time examining
> what ports should be open based on what their users are using? ?No,
> they will open ports until it works. ?Last time I checked every
> linksys router comes with allow all outbound by default. ?How many
> people change that?
>
> The point of my question was if you're forced into a position to open
> everything, what ports *should* you always block and why. ?The
> response below doesn't help that IT guy with no experience or time to
> research everything.
>
> For example, ?blocking SMB and NT RPC inbound and outbound should be a
> high priority. ?Ports 135,137-139, 445. ?A lot of worms are propagated
> via these ports and when you attempt to do DNS lookups, windows will
> also try to connect outbound via SMB. ?I had hoped someone had already
> put this info on the web somewhere, but I have yet to find it.
>
> Marcus's thoughts on default permit are here:
> http://www.ranum.com/security/computer_security/editorials/dumb/index.
> html
> ?Again, I agree with the thoughts, but for a hardware vendor selling
> to a home user or a SMB, it's never going to happen. ?The user wants
> to buy a device, plug it in and have it work. ?They don't want to
> spend time configuring things. ?That's reality, default deny is a
> dream.
>
> jas
>
------------------------------
Message: 5
Date: Thu, 15 Apr 2010 09:59:02 -0400
From: "Paul D. Robertson" <probertson@fluiditgroup.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BC71BA6.3090202@fluiditgroup.com>
Content-Type: text/plain; charset=ISO-8859-1
Darden, Patrick S. wrote:
> No offense, but this list is "firewall wizards", not "I don't have time
> to do a good job of being a firewall admin". I believe the responses
> you have gotten are appropriate and expert.
I'm going to throw this out there again[1] because it's probably been
half a decade or so since I last said it- The demise of the Chapman
firewall mailing list means that there simply aren't a lot of good
resources for the beginner, the curious or the uninitiated. In that
regard, I'm more apt to approve basic questions and "How do I do *splat*
on my PIX?" than Marcus was. The list can't afford to "just tackle the
Wizard questions" IMNSHO.
While I wholeheartedly agree with the sentiment that we need to fix the
fact that "everyone doesn't know default allow sucks-" I, like Marcus
see the necessity of answering the question a thousand times. Maybe we
should rattle the Cybersecurity Czar's cage on this one?
Information security is like an endless game of tag where the same
person is always "it." We're still "it." We'll never not be "it," and
we can't stop playing.
Paul
[1] For those new to the list, administrative stuff comes from my
"work" account, personal postings come from paul@compuwar.net
--
President and Chairman, FluidIT Group
Moderator, Firewall-Wizards. Editor, Network Firewall FAQ
Art: http://PaulDRobertson.imagekind.com/
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 48, Issue 5
***********************************************
No comments:
Post a Comment