Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Frank Knobbe (fknobbe_at_knobbeits.com)
To: "firstname.lastname@example.org" <email@example.com> Date: 28 May 2003 13:48:22 -0500
On Tue, 2003-05-27 at 22:27, Tina Bird wrote:
> if you continue down the road of "what things do i block to prevent most
> attacks," please be sure to add the microsoft netbios and netbeui ports
No, no, no. Don't take the approach of blocking selected ports. What you
should do is block *all* outbound traffic (just like inbound) and only
allow what it necessary (i.e. web, ftp, etc).
(Somehow I think you and Paul know this though ;)
This is a great time to emphasize that one should also be very
conservative with outbound access. Only allow those hosts access to the
outside that really need it (for example, workstations and selected [but
not all] servers). Only allow those protocols that need to pass through,
but not all of them.
Workstations getting trojaned and phoning home (as Paul was referring
to) are prevented/impacted as well as reverse shells from web servers
I'm fully aware that you can still tunnel out using HTTPS or shoveling
data over DNS queries. However, one effectively limits the capabilities
of an intruder and should make it easier for the admin to focus his/her
attention on the allowed protocols.
Furthermore (as you mentioned Tina), one reduces the amount of
information leakage (for example NetBIOS/SMB authentication leaks). And
besides leaking critical information, we also reduce all the crap some
networks are dumping onto the Internet (remember the study of DNS
queries for private/bogus hosts/IPs?).
We should start treating the Internet like the (or an) environment
(well... which is actually is one, isn't it?). Let's reduce our amount
of data/traffic pollution... not for the Internet's sake, but for the
sake of our Internet neighbors.
Perhaps we need to start thinking in less selfish terms. When designing
firewall policies, we need to keep not only our own security in mind,
but also that our of fellow Internet users. At least, be aware that you
are sending data out in return for receiving data in...
PS: Please don't ask what I was smoking when I wrote this...I tried not
to drift into the social aspects of Internet life...
firewall-wizards mailing list
- application/pgp-signature attachment: This is a digitally signed message part