Re: Misconfigured firewalls

["TC Wolsey" <twolsey () realtech com>]

> Lance Spitzner <lance () ksni net> 12/07/99 08:09PM >>>
> A trend I have noticed after auditing a variety of clients is
> miconfigured firewalls.  I often find rules that expose my
> clients to great risk, even though they spent $50,000 on their
> firewall setup.  I've written a whitepaper to help firewall
> admins build their first rulebase.  My goal is to give admins
> a place to start in building a solid rulebase, hopefully 
> avoiding the more common pitfalls of rulebase design.
>
> I would greatly appreciate if you guru's out there could 
> give the paper a "looksy" before I publish it.  I want to
> be sure I'm giving firewall admins a good start.  Also, I 
> would greatly appreciate any suggestions you may have based
> on your experience with firewall rulebases.  I base my
> examples on FW-1, but they should apply to most firewalls.
>
> Designing Your Firewall Rulebase
> http://www.enteract.com/~lspitz/rules.html 
>
> Thanks!
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html 

Lance, 

A couple of points, mostly FW-1 specific:

You have left outgoing services enabled in the properties as Last, but block outgoing in the rulebase with rule 11. 

You are rejecting ident and NBT destined for the FW, shouldn't you be sending RSTs for ident destined for the 
mailserver?

Is the sample policy of allowing any access out from the internal network the best choice of reference for possibly 
inexperienced admins? I think that a sample that allowed only DNS queries from the internal DNS server and HTTP and FTP 
services from a proxy server might steer them down a better path. I know that the example policy in your publication 
reflects what some organizations elect to do, but I would not like to see that type of policy encouraged if at all 
possible. 

Regards,

--tcw