Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network

From: Frank Knobbe (
Date: 05/28/03

  • Next message: Noonan, Wesley: "RE: [fw-wiz] Benefit of firewall over NAT-only 'protected' networ k"
    To: "" <>
    Date: 28 May 2003 13:48:22 -0500

    On Tue, 2003-05-27 at 22:27, Tina Bird wrote:
    > if you continue down the road of "what things do i block to prevent most
    > attacks," please be sure to add the microsoft netbios and netbeui ports

    No, no, no. Don't take the approach of blocking selected ports. What you
    should do is block *all* outbound traffic (just like inbound) and only
    allow what it necessary (i.e. web, ftp, etc).

    (Somehow I think you and Paul know this though ;)

    This is a great time to emphasize that one should also be very
    conservative with outbound access. Only allow those hosts access to the
    outside that really need it (for example, workstations and selected [but
    not all] servers). Only allow those protocols that need to pass through,
    but not all of them.

    Workstations getting trojaned and phoning home (as Paul was referring
    to) are prevented/impacted as well as reverse shells from web servers
    and such.

    I'm fully aware that you can still tunnel out using HTTPS or shoveling
    data over DNS queries. However, one effectively limits the capabilities
    of an intruder and should make it easier for the admin to focus his/her
    attention on the allowed protocols.

    Furthermore (as you mentioned Tina), one reduces the amount of
    information leakage (for example NetBIOS/SMB authentication leaks). And
    besides leaking critical information, we also reduce all the crap some
    networks are dumping onto the Internet (remember the study of DNS
    queries for private/bogus hosts/IPs?).

    We should start treating the Internet like the (or an) environment
    (well... which is actually is one, isn't it?). Let's reduce our amount
    of data/traffic pollution... not for the Internet's sake, but for the
    sake of our Internet neighbors.

    Perhaps we need to start thinking in less selfish terms. When designing
    firewall policies, we need to keep not only our own security in mind,
    but also that our of fellow Internet users. At least, be aware that you
    are sending data out in return for receiving data in...


    PS: Please don't ask what I was smoking when I wrote this...I tried not
    to drift into the social aspects of Internet life...


    firewall-wizards mailing list

  • Next message: Noonan, Wesley: "RE: [fw-wiz] Benefit of firewall over NAT-only 'protected' networ k"

    Relevant Pages

    • Re: Money at root of malware...
      ... "The days of malware purely for the sake of notoriety are officially ... hackers have been more interested in making money ... There are crooks on the Internet. ...
    • Re: Transitional Fossil Challenge is futile. Can evolutionists prove
      ... So now the internet was developed for the sake of Christians? ... Bearing in mind that according to your beliefs you are the only genuine Christian on the planet, you are claiming that the internet was developed for your personal benefit. ... While the "Internet ToE" (as distinct from the real theory of evolution) is a product of Ray's imagination, he didn't claim that the internet was developed for the sake of Christians. ...
    • Re: Cigar Forum
      ... on the internet for anyone to find. ... published for the sake of my attendees. ... You can even type "Bart Goddard, Austin" in Google and come up ... Have to agree that anyone who checks out the math sites (not the silly ...
    • Re: OT - How long will the Internet last...
      ... > I suspect the government will shut it down, for the sake of "rumor ... > e-mail and news via HF after the internet goes down. ... how do you have elections? ...