Thursday, April 22, 2010

firewall-wizards Digest, Vol 48, Issue 8

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: DNS Names for external services (Frank Knobbe)
2. Re: Firewall best practices (Darden, Patrick S.)
3. Re: Firewall best practices (Dave Piscitello)
4. Re: DNS Names for external services (Dave Piscitello)
5. Re: Firewall best practices (Martin Barry)
6. Looking for firewall mgmt solution (Morriss, Jason (NIH/CIT) [C])
7. Re: Looking for firewall mgmt solution (Flemming Laugaard)
8. Re: Firewall best practices (Marcus J. Ranum)
9. Re: Looking for firewall mgmt solution (Paul Melson)


----------------------------------------------------------------------

Message: 1
Date: Sat, 17 Apr 2010 10:50:31 -0500
From: Frank Knobbe <frank@knobbe.us>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1271519431.58300.21.camel@localhost>
Content-Type: text/plain; charset="iso-8859-1"

On Tue, 2010-04-13 at 17:30 -0400, Bruce B. Platt wrote:
> I agree. I also support using non eponymous names. Rather than
> vpnserver.company.com, something like bart.company.com can be remembered,
> but does not immediately tell anyone what the machine might do. So a little
> obscurity may help.
>
> Or, make the server as impregnable as possible first, Then give it a name
> people can remember, then watch to see if people try to bust in or
> compromise it.


Or, use "bart" for your legitimate VPN, and point "vpn" to a honeypot
that screams loudly when tickled. That way you are actually deriving a
benefit from it rather than just obscurity. Likewise, if you don't run
an FTP server (or CVS, or POP3, or...), setup DNS records for those
pointing to your honeypot. Use it to respond in anyway you see fit for
defense of your network (blocking the IP, etc).

Regards,
Frank

--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: This is a digitally signed message part
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100417/aabba449/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 19 Apr 2010 07:52:55 -0400
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] Firewall best practices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE107524040E78B5@EX2K3.armc.org>
Content-Type: text/plain; charset="US-ASCII"


Good point. I fight against EVERYTHING. :-) However, if a connection
has distinct endpoints, and uses an encrypted protocol (ssh, ssl, ipsec)
then I fight with less energy. We have a VMZ here which helps--a
sandbox that we put vendor supplied systems that do not follow our best
practices. We firewall them out of the network, allow only limited
access, and stipulate the vendor is responsible for security for their
system.

I think you have to seek the truth of whether the service is needed or
just desired, and then balance security vs. utility.

--p

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Morty
Sent: Friday, April 16, 2010 12:41 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewall best practices

On Wed, Apr 14, 2010 at 09:10:36AM -0400, Jason Lewis wrote:

> The point of my question was if you're forced into a position to open
> everything, what ports *should* you always block and why.

Or less controversially, suppose you *do* have a default deny, and you
get requests to allow point-to-point dataflows (inbound or outbound)
and/or completely open select ports outbound. Which ports/services
should you fight back on or recommend alternatives? As a general rule,
I fight back on protocols that do unencrypted auth and/or are intended
for local LAN use and/or are very attractive to malware authors.
Examples: FTP, telnet, SMTP, portmap, 135, 137, 138, 139, 445, 1433,
NFS, IRC.

If you have IDS, your perspective might change because crypto-enabled
ports cause you to lose insight.

- Morty
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 3
Date: Mon, 19 Apr 2010 11:57:59 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BCC7D87.10200@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Jason Lewis wrote:
> While I believe the only allow what you need is a good rule, it's
> impossible to enforce in a lot of scenarios. How many small
> businesses have no firewall admins and do the configuration
> themselves? Do you think they are going to spend the time examining
> what ports should be open based on what their users are using? No,
> they will open ports until it works. Last time I checked every
> linksys router comes with allow all outbound by default. How many
> people change that?

This is laziness on the part of commodity router/firewall vendors. Some
of us are old enough to recall configuration "wizards" on dialup and
ISDN routers (ACC, Livingston, Compatible Systems...). The wizards asked
"what applications do you want to run?" This is known art, not rocket
science. While the application mix is much broader today than 1995, it
is still possible to give even residential users enough context to make
an informed choice.

> The point of my question was if you're forced into a position to open
> everything, what ports *should* you always block and why. The
> response below doesn't help that IT guy with no experience or time to
> research everything.

There is no definitive list. Lots of badness exits networks via mail and
web ports, should you block these? Any list you come up with will be
long, and long is complex, and complex is "fail" for residential and SMB.

> For example, blocking SMB and NT RPC inbound and outbound should be a
> high priority. Ports 135,137-139, 445. A lot of worms are propagated
> via these ports and when you attempt to do DNS lookups, windows will
> also try to connect outbound via SMB. I had hoped someone had already
> put this info on the web somewhere, but I have yet to find it.

If you haven't found this yet, you aren't looking in the right places
(and I don't mean to sound mean). I searched "block port 445 at
firewall" (www.grc.com/port_445.htm) and "block port 445 linksys"
(http://forums.cabling-design.com/xdsl/Netopia-3500-LinkSys-Port-135-and-445-in-Log-Files-1034-.htm)

> Marcus's thoughts on default permit are here:
> http://www.ranum.com/security/computer_security/editorials/dumb/index.html
> Again, I agree with the thoughts, but for a hardware vendor selling
> to a home user or a SMB, it's never going to happen. The user wants
> to buy a device, plug it in and have it work. They don't want to
> spend time configuring things. That's reality, default deny is a
> dream.

I suspect we will have to agree to disagree here. Default deny is an
imperative.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100419/eb3d9d76/attachment-0001.bin>

------------------------------

Message: 4
Date: Mon, 19 Apr 2010 11:43:22 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BCC7A1A.7050409@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Paul Melson wrote:
> On Tue, Apr 13, 2010 at 12:16 PM, Behm, Jeff <jbehm@burnsmcd.com> wrote:
>> Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making people
>> know/use an IP address) for services you expose to the Internet.
>
> You mean the security trade-off whereby we protect ourselves from
> hackers that are too lazy to scan with nmap -sV but not too lazy to
> use scandns? It's a ridiculous corner case that's not worth
> accounting for.

+1

> On the other hand, using DNS names instead of IP addresses for
> Internet-facing services makes them more easily portable. For some
> services it can make load balancing and failover very simple and
> cheap. If any of your use cases is helped by naming Internet
> services, then do so. It's that simple.

+1

Also, consider the low esteem IP addresses have in email. Many antispam
software aggressively downgrade email containing IP addresses. If you
intend to notify folks of the availability of services via email, aren't
you increasing the probability that someone's antispam measures will
block delivery?

[I suppose you could ask your users and customers to scan your IP
addresses to find services. If you even pause to consider this option...]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100419/726cf6a1/attachment-0001.bin>

------------------------------

Message: 5
Date: Mon, 19 Apr 2010 11:01:42 +0200
From: Martin Barry <marty@supine.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20100419090142.GA26508@merboo.mamista.net>
Content-Type: text/plain; charset=us-ascii

$quoted_author = "Morty" ;
>
> If you have IDS, your perspective might change because crypto-enabled
> ports cause you to lose insight.

...and every app that wants to work around a firewall just encrypts it's
traffic and runs the server on port 443.

It would be nice to not be "enumerating badness" and blacklisting IPs
running services on port 443 that are against corporate policy but trying
for "default deny and whitelist" would cause a DOS on support resources.

cheers
Marty


------------------------------

Message: 6
Date: Mon, 19 Apr 2010 07:13:16 -0400
From: "Morriss, Jason (NIH/CIT) [C]" <morrissj@mail.nih.gov>
Subject: [fw-wiz] Looking for firewall mgmt solution
To: "'firewall-wizards@listserv.icsalabs.com'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<0CADA15E942196438C242C19FA72B4FC01B49B2FE7@NIHMLBX01.nih.gov>
Content-Type: text/plain; charset="us-ascii"

Hi there,

I'm wondering if anyone can give me any suggestions. I'm looking for a solution for my organization that will allow us to manage multiple firewalls from multiple vendors using a single interface (preferably web based). I've looked at a couple of different products so far and all of them simply analyze a firewall's rulesets to help you optimize and cleanup a firewall. That's fine, but we want this software to actually do the configuration changes that users input as well, similar to what OPSWARE does for routers and switches (OPSWARE does not work with firewalls very well).


Thanks,
Jason

------------------------------

Message: 7
Date: Thu, 22 Apr 2010 12:29:18 +0200
From: Flemming Laugaard <flemming@laugaard.dk>
Subject: Re: [fw-wiz] Looking for firewall mgmt solution
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BD024FE.1030505@laugaard.dk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Did you look at FWbuilder (http://www.fwbuilder.org/)?

--

Regards
Flemming Laugaard

------------------------------

Message: 8
Date: Thu, 22 Apr 2010 09:17:35 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BD05A7F.1070709@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Martin Barry wrote:
> ...and every app that wants to work around a firewall just encrypts it's
> traffic and runs the server on port 443.

That's why firewalls need to go back to doing what they
originally did, and parsing/analyzying the traffic that
flows through them, rather than "stateful packet
inspection" (which, as far as I can tell, means that
there's a state-table entry saying "I saw SYN!")

If the firewall doesn't understand the data it's passing,
it's not a firewall, it's a hub.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com


------------------------------

Message: 9
Date: Thu, 22 Apr 2010 06:37:35 -0400
From: Paul Melson <pmelson@gmail.com>
Subject: Re: [fw-wiz] Looking for firewall mgmt solution
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<j2m40ecb01f1004220337q72b953f4mbe409666994b6770@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Apr 19, 2010 at 7:13 AM, Morriss, Jason (NIH/CIT) [C]
<morrissj@mail.nih.gov> wrote:
> I'm wondering if anyone can give me any suggestions. I'm looking for a solution for my organization that will allow us to manage
> multiple firewalls from multiple vendors using a single interface (preferably web based). I've looked at a couple of different products so
> far and all of them simply analyze a firewall's rulesets to help you optimize and cleanup a firewall. That's fine, but we want this
> software to actually do the configuration changes that users input as well, similar to what OPSWARE does for routers and switches
> (OPSWARE does not work with firewalls very well).

Have you looked at Playbook from Matasano?

http://runplaybook.com/

PaulM


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 48, Issue 8
***********************************************

No comments:

Post a Comment