Re: [fw-wiz] Permissive Firewall Policy



New or not, this is a place for questions. Here goes...



There's not really a list of the "bad" ports/protocols but more
accurately a list of ports/protocols that your company needs to use.

Best option would be to create an outbound ACL with a "permit ip any any
log" and then analyze your log results after a few days/weeks to
determine the extent of ports that are used across your firewall if you
don't know that already.

Caveat with this option: if you're running a large volume of outbound
traffic you could choke your firewall with logging everything outbound
like that so be prudent with the level of logging you choose.



Based upon your analysis you should be able to come up with a nice list
of ports/protocols that are needed/in use by your installation and can
then begin whittling down the list to the bare essentials while denying
the rest without impacting overall operations of the company.



HTH,

Brandon



________________________________

From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Kevin Hinze
Sent: Thursday, September 21, 2006 10:45 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Permissive Firewall Policy



New to the list, so hope this has not already been covered numerous
times.

I have been asked to move from a restrictive policy of only
allowed/permitted ports are allowed through the Firewall to a permissive
policy of deny known "bad" port/protocols and allow all else. Does
anyone have lists, bookmarks or the like to show a list of known "bad"
ports? I believe this is a bad idea but need some information to prove
how difficult it will be to manage.

Thanks in advance,

Kevin Hinze


--
Good judgment comes with experience. Unfortunately, the experience
usually comes from bad judgment.
___________________________________________________________________
Kevin Hinze mailto:kevin.hinze@xxxxxxxxxxxxxx
Intranet Systems Engineer The Navigators




This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Scanned for open relay ?
    ... Any spammer,hacker, or crook can go to these types of lists and find their ... an extremely inefficient firewall. ... someone is knocking at a whole slew of ports fishing for anything they can ... these scanners and complain so that may not be a bad thing in this case. ...
    (comp.security.firewalls)
  • Re: two attempted break-ins from Hong Kong & Italy
    ... It blocks virtually all ports, ... A wireless router is just a router, not a firewall - NAT does not make ... you don't and there is no means to block IP lists ...
    (alt.computer.security)
  • Re: two attempted break-ins from Hong Kong & Italy
    ... It blocks virtually all ports, ... A wireless router is just a router, not a firewall - NAT does not make ... you don't and there is no means to block IP lists ...
    (comp.security.ssh)
  • Re: two attempted break-ins from Hong Kong & Italy
    ... It blocks virtually all ports, ... A wireless router is just a router, not a firewall - NAT does not make ... you don't and there is no means to block IP lists ...
    (comp.security.misc)
  • Long time loging to the domain behind the firewall
    ... We have our domains controlers behind the firewall. ... To be able to work we open a lot of ports. ... All are in the lists below. ... If I will go with laptop directly behind the firewall it takes 2-5 seconds to log in. ...
    (microsoft.public.windows.server.active_directory)