Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network

From: Frank Knobbe (fknobbe_at_knobbeits.com)
Date: 05/28/03

  • Next message: Noonan, Wesley: "RE: [fw-wiz] Benefit of firewall over NAT-only 'protected' networ k"
    To: "irewall-wizards@honor.icsalabs.com" <firewall-wizards@honor.icsalabs.com>
    Date: 28 May 2003 13:48:22 -0500
    

    On Tue, 2003-05-27 at 22:27, Tina Bird wrote:
    > if you continue down the road of "what things do i block to prevent most
    > attacks," please be sure to add the microsoft netbios and netbeui ports

    No, no, no. Don't take the approach of blocking selected ports. What you
    should do is block *all* outbound traffic (just like inbound) and only
    allow what it necessary (i.e. web, ftp, etc).

    (Somehow I think you and Paul know this though ;)

    This is a great time to emphasize that one should also be very
    conservative with outbound access. Only allow those hosts access to the
    outside that really need it (for example, workstations and selected [but
    not all] servers). Only allow those protocols that need to pass through,
    but not all of them.

    Workstations getting trojaned and phoning home (as Paul was referring
    to) are prevented/impacted as well as reverse shells from web servers
    and such.

    I'm fully aware that you can still tunnel out using HTTPS or shoveling
    data over DNS queries. However, one effectively limits the capabilities
    of an intruder and should make it easier for the admin to focus his/her
    attention on the allowed protocols.

    Furthermore (as you mentioned Tina), one reduces the amount of
    information leakage (for example NetBIOS/SMB authentication leaks). And
    besides leaking critical information, we also reduce all the crap some
    networks are dumping onto the Internet (remember the study of DNS
    queries for private/bogus hosts/IPs?).

    We should start treating the Internet like the (or an) environment
    (well... which is actually is one, isn't it?). Let's reduce our amount
    of data/traffic pollution... not for the Internet's sake, but for the
    sake of our Internet neighbors.

    Perhaps we need to start thinking in less selfish terms. When designing
    firewall policies, we need to keep not only our own security in mind,
    but also that our of fellow Internet users. At least, be aware that you
    are sending data out in return for receiving data in...

    Regards,
    Frank

    PS: Please don't ask what I was smoking when I wrote this...I tried not
    to drift into the social aspects of Internet life...

    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: Noonan, Wesley: "RE: [fw-wiz] Benefit of firewall over NAT-only 'protected' networ k"