Firewall Wizards mailing list archives
Re: Misconfigured firewalls
From: "TC Wolsey" <twolsey () realtech com>
Date: Thu, 09 Dec 1999 18:03:20 -0500
Lance Spitzner <lance () ksni net> 12/07/99 08:09PM >>> A trend I have noticed after auditing a variety of clients is miconfigured firewalls. I often find rules that expose my clients to great risk, even though they spent $50,000 on their firewall setup. I've written a whitepaper to help firewall admins build their first rulebase. My goal is to give admins a place to start in building a solid rulebase, hopefully avoiding the more common pitfalls of rulebase design. I would greatly appreciate if you guru's out there could give the paper a "looksy" before I publish it. I want to be sure I'm giving firewall admins a good start. Also, I would greatly appreciate any suggestions you may have based on your experience with firewall rulebases. I base my examples on FW-1, but they should apply to most firewalls. Designing Your Firewall Rulebase http://www.enteract.com/~lspitz/rules.html Thanks! Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Lance, A couple of points, mostly FW-1 specific: You have left outgoing services enabled in the properties as Last, but block outgoing in the rulebase with rule 11. You are rejecting ident and NBT destined for the FW, shouldn't you be sending RSTs for ident destined for the mailserver? Is the sample policy of allowing any access out from the internal network the best choice of reference for possibly inexperienced admins? I think that a sample that allowed only DNS queries from the internal DNS server and HTTP and FTP services from a proxy server might steer them down a better path. I know that the example policy in your publication reflects what some organizations elect to do, but I would not like to see that type of policy encouraged if at all possible. Regards, --tcw
Current thread:
- Misconfigured firewalls Lance Spitzner (Dec 08)
- <Possible follow-ups>
- Re: Misconfigured firewalls TC Wolsey (Dec 10)
- Re: Misconfigured firewalls Lance Spitzner (Dec 10)