Re: port number muse

[Bill_Royds () pch gc ca]

Normally one's security policy examines services and decides which ones are
important and secure enough versus less important or too insecure. Since
listening ports are based on services, this should define what ports are open.
  Over time there will be requests to allow other services and there should be a
review of previously allowed services for possible lowered usage or increased
security problems (new exploits etc.). This would be a basis for changing the
ports allowed.
Basically we work from principles to policies to procedures.
Principle:
     1. No services can be allowed that allow access from Internet to internal
workstations without authorisation.
     2. Internal clients should have access to Internet when it doesn't conflict
with principle 1.
     3. Access in 2 should have informed consent of clients and should minimize
use of shared resources.
     3. Where possible all transactions from internal network to Internet are
monitored for correctness of protocol and security breaches.
These may not be appropriate for you but they give a basis for evaluation which
services to allow and which to deny.
Policies:
     1. Firewall blocks all connections from Internet to internal network
(default deny all) except for those explicity allowed in 2.
     2. Internal users can have desktop browsers for http since protocol is
query-response so all transactions are initiated by internal users and firewall
has proxy for HTTP and can ensure valid protocol connections.
     3. Internal users can't use IRC becuase transactions can be initiated by
anyone in room once connection to a chat room is established.
     4. SMTP mail must come from a server under our control so a bastion server
on outside of firewall is our MX host.

     etc.

Procedures:
     1. Install proxy firewall between Internet and internal network.
     2. Install browser versions on desktop that do not allow un-attended
updates (no Internet Explorer channels).

   and many more.

If someone asks for a new service, we evaluate its business case versus its
security according to these criteria and can allow or deny it. The business case
must be pretty strong to add it. You may stop a service when a more secure
alternative if found. We have replaced all Telnet access by ssh for example.
     This means you are never stopiing a service arbitrariliy becuase you never
allowed it in first place.







Jay Nayegandhi <jnay () intface com> on 05/18/2000 10:23:58

Please respond to Jay Nayegandhi <jnay () intface com>
                                                              
                                                              
                                                              
 To:      "'firewall-wizards () nfr net'"                        
          <firewall-wizards () nfr net>                          
                                                              
 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)                 
                                                              
                                                              
                                                              
 Subject: [fw-wiz] port number muse                           
                                                              





I often see questions like what is port number xyz used for.  I presume list
members see someone trying to access an unfamiliar port a significant number
of times and want to know what's going on.

I am curious about what action you take:  Do you block access to that port
before finding out what it is and wait for someone to show up saying
such-and-such application no longer works, or do you find out what it is
used for and then decide what to do about it?  Or is this the kind of thing
that gets defined as part of a security policy for a network?

Thank you,

Jay