Firewall Wizards mailing list archives
Re: port number muse
From: Bill_Royds () pch gc ca
Date: Sat, 20 May 2000 14:54:00 -0400
Normally one's security policy examines services and decides which ones are important and secure enough versus less important or too insecure. Since listening ports are based on services, this should define what ports are open. Over time there will be requests to allow other services and there should be a review of previously allowed services for possible lowered usage or increased security problems (new exploits etc.). This would be a basis for changing the ports allowed. Basically we work from principles to policies to procedures. Principle: 1. No services can be allowed that allow access from Internet to internal workstations without authorisation. 2. Internal clients should have access to Internet when it doesn't conflict with principle 1. 3. Access in 2 should have informed consent of clients and should minimize use of shared resources. 3. Where possible all transactions from internal network to Internet are monitored for correctness of protocol and security breaches. These may not be appropriate for you but they give a basis for evaluation which services to allow and which to deny. Policies: 1. Firewall blocks all connections from Internet to internal network (default deny all) except for those explicity allowed in 2. 2. Internal users can have desktop browsers for http since protocol is query-response so all transactions are initiated by internal users and firewall has proxy for HTTP and can ensure valid protocol connections. 3. Internal users can't use IRC becuase transactions can be initiated by anyone in room once connection to a chat room is established. 4. SMTP mail must come from a server under our control so a bastion server on outside of firewall is our MX host. etc. Procedures: 1. Install proxy firewall between Internet and internal network. 2. Install browser versions on desktop that do not allow un-attended updates (no Internet Explorer channels). and many more. If someone asks for a new service, we evaluate its business case versus its security according to these criteria and can allow or deny it. The business case must be pretty strong to add it. You may stop a service when a more secure alternative if found. We have replaced all Telnet access by ssh for example. This means you are never stopiing a service arbitrariliy becuase you never allowed it in first place. Jay Nayegandhi <jnay () intface com> on 05/18/2000 10:23:58 Please respond to Jay Nayegandhi <jnay () intface com> To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net> cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: [fw-wiz] port number muse I often see questions like what is port number xyz used for. I presume list members see someone trying to access an unfamiliar port a significant number of times and want to know what's going on. I am curious about what action you take: Do you block access to that port before finding out what it is and wait for someone to show up saying such-and-such application no longer works, or do you find out what it is used for and then decide what to do about it? Or is this the kind of thing that gets defined as part of a security policy for a network? Thank you, Jay
Current thread:
- port number muse Jay Nayegandhi (May 19)
- Re: port number muse John Labovitz (May 21)
- <Possible follow-ups>
- Re: port number muse Bill_Royds (May 21)