Firewall Wizards mailing list archives
Re: Firewall best practices
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 15 Apr 2010 08:09:35 -0500
Jason Lewis wrote:
While I believe the only allow what you need is a good rule, it's impossible to enforce in a lot of scenarios.
That's quite true. There's the ideal, and then there is the reality. Sometimes they don't match up, and we're left with only reality. As some wise wag once put it: "if wishes were horses, even beggars would ride"
How many small businesses have no firewall admins and do the configuration themselves?
Then they should expect less good results. That's the trick. "Hey, given that I can only spend 10 minutes on this, don't blame me when something goes wrong." In this case the employee/security manager needs to shift from trying to secure the perimeter to trying to protect their job. Instead of analyzing which ports are open, keep an eye on the job-market in your area. Instead of mapping network connectivity, network with your peers and look for a job in a place that has better executive management. Remember the story of the boy on the burning deck? There are actually 3 "take-aways" from it not 1; yes - 1) the boy was noble but 2) the boy died and 3) the ship sank anyway.
Do you think they are going to spend the time examining what ports should be open based on what their users are using? No, they will open ports until it works.
And they'll eventually be hosting malware central. You're completely correct; it's reality. The place where unreality sets in is only when people do a half-assed job and expect full-assed results.
Last time I checked every linksys router comes with allow all outbound by default. How many people change that?
Only a few. They're called "the guys who don't get hacked to pieces." The other guys are called "the guys with conficker."
The point of my question was if you're forced into a position to open everything, what ports *should* you always block and why.
You did the equivalent of asking for "the best recipe for beef stroganoff for a man who has no beef."
The response below doesn't help that IT guy with no experience or time to research everything.
Nothing can help him. He's screwed. He should spend his time on other things like keeping his resume up to date, playing office politics to get promoted, and day-trading stock to make as much money as he can so that he can retire early. I like this "let's be pragmatic" stuff! :D
They don't want to spend time configuring things. That's reality, default deny is a dream.
For them, "security" is also a dream. The problem is merely one of "how do I avoid having to listen to them complain when they get pwnz0red?" rather than "how do I secure the network." See? Pragmatism is mostly a matter of picking what problem you're really trying to solve. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices R. DuFresne (Apr 13)
- <Possible follow-ups>
- Re: Firewall best practices Anton Chuvakin (Apr 14)
- Re: Firewall best practices Jason Lewis (Apr 14)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Paul D. Robertson (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Jason Lewis (Apr 14)
- Re: Firewall best practices John Morrison (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Marcus J. Ranum (Apr 15)
- Re: Firewall best practices Morty (Apr 16)
- Re: Firewall best practices Darden, Patrick S. (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 23)
- Re: Firewall best practices Marcus J. Ranum (Apr 26)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices david (Apr 26)
- Re: Firewall best practices John Morrison (Apr 27)