firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Firewall best practices (Andre Lima)
2. Re: Firewall best practices (Potter, Albert (Al))
3. Re: Firewall best practices (arvind doraiswamy)
----------------------------------------------------------------------
Message: 1
Date: Sun, 21 Mar 2010 10:00:59 +0000
From: Andre Lima <andreflima@gmail.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BA5EE5B.6060505@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi jas,
Actually, it's not about the ports to block, but the ports to allow.
That's assuming you're using a drop/deny all policy, which frankly you
should.
But even with the deny all policy, there should be a few basic packets
you should drop:
1. (if you're using iptables) drop invalid state packets
2. make sure you restrict ICMP trafic and never allow echo requests to
get in (avoiding smurf attacks) or any broadcast traffic for that matter.
3. don't allow IP packets with options to get in. these are usually used
by hackers to make spoofed packets go back to them (ip header length
must be 5!)
4. mitigate spoofing or LAND DoS attacks by denying inside traffic with
source IP adresses from private networks (192.168.0.0/16, etc)
5. (this is usually default modern OS behaviour but) make sure you
mitigate TCP syn flood attacks with (usually OS supported) TCP cookies.
This should be the least the firewall should do.
--
Andr? Lima
Cisco Certified Network Associate - CCNA
http://pwp.net.ipl.pt/alunos.isel/28838/
On 3/20/10 4:54 PM, Jason Lewis wrote:
> I was configuring a new firewall and was setting up rules to block
> things like SMB and known trojan port and remote access client. It
> got me thinking that the process would be quicker if I had a list
> recommended ports/apps to block.
>
> Is anyone aware of such a list. Best practices for ports to block
> seems like something that would exists, but I haven't had any luck in
> my search.
>
> jas
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 2
Date: Mon, 22 Mar 2010 16:58:30 +0000
From: "Potter, Albert (Al)" <apotter@icsalabs.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<02C94FA7F698FC4093BA0EED57834E25055512A6@ASHEVS008.mcilink.com>
Content-Type: text/plain; charset=us-ascii
</lurk>
This is easy.....
Block List: ALL
Allow List: Only what you need and can trust
AL
<lurk>
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-
> wizards-bounces@listserv.icsalabs.com] On Behalf Of Jason Lewis
> Sent: Saturday, March 20, 2010 12:55 PM
> To: Firewall Wizards Security Mailing List
> Subject: [fw-wiz] Firewall best practices
>
> I was configuring a new firewall and was setting up rules to block
> things like SMB and known trojan port and remote access client. It
> got me thinking that the process would be quicker if I had a list
> recommended ports/apps to block.
>
> Is anyone aware of such a list. Best practices for ports to block
> seems like something that would exists, but I haven't had any luck in
> my search.
>
> jas
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Mon, 22 Mar 2010 22:07:35 +0530
From: arvind doraiswamy <arvind.doraiswamy@gmail.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<e7efc21f1003220937w2337c4aenb22f81bc27f0f150@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I'm not really sure anything of that sort will be available anywhere.
Even if it is I'd advise you take it with a big pinch of salt. Reason
being I think there's only 1 "best" list -- Thats based on the "what
you need" principle.
Meaning I could rattle off a list of say 10 ports which should not be
exposed...but it'd all be utterly useless if your business demanded
those remain open. So if there's legacy code in your setup which
demands that UDP ports between 1024 and 65535 remain open... and they
are not willing to phase it out -- the best thing you can then do is
restrict IP addresses and put other compensatory controls in place.
To sum up - The best list is:
a) Grant access to exactly what you need in your environment.
Wireshark is your friend.
b) Deny all else
Not exactly what you're looking for maybe...but its just an approach
I think sort of fits IMHO.
Cheers
Arvind
On Sat, Mar 20, 2010 at 10:24 PM, Jason Lewis <jlewis@packetnexus.com> wrote:
> I was configuring a new firewall and was setting up rules to block
> things like SMB and known trojan port and remote access client. ?It
> got me thinking that the process would be quicker if I had a list
> recommended ports/apps to block.
>
> Is anyone aware of such a list. ?Best practices for ports to block
> seems like something that would exists, but I haven't had any luck in
> my search.
>
> jas
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 47, Issue 2
***********************************************
No comments:
Post a Comment