Re: [fw-wiz] Permissive Firewall Policy

I am assuming outbound access. If its inbound - then I am not sure
what to say except game over.

Over the last 6 month period I moved the organization I am presently
at from a "permissive" firewall policy to a "restrictive" firewall
policy, web caching servers, and removed the internet firewall as the
default gateway. Here is the problems it helped mitigate:

a) firewalls were no longer going downtime due to compromised
machines on the internal network attempting to DOS external victims
b) compromised machines on the internal network could no longer get
their marching orders via their control channels
c) unauthorized software had a much more difficult time working (i.e.
P2P, etc)
d) For every new virus or malware we are not in a reactive mode of
'blocking the bad port'
e) Improved auditing to help in internal investigations

Point D is the most valid point. Any port can be a "bad" port
depending on the application. Your move will only generate more work
and more problems for the organization as you are moving from a
proactive mode to a reactive mode. And you have to ask yourself why
this is being requested? Questions I would automatically ask are:

1) What is the business driver?
2) Is it because some applications aren't "working" because of the
3) Is the organization responsible for the firewalls not responsive
enough for dealing with item 2?
4) Who is driving it and what is their agenda?
5) What game application a vice president is trying to play that is
breaking due to the firewall?

This is an education opportunity and you are doing the right thing by
asking for evidence. I got a lot of heat for restricting access but
I sold it as improving stability (sometimes security just doesn't
sell so you have to look for another touch point). In addition - in
a lot of industries - a 'permissive' firewall policy will run afoul
of regulators and auditors. Use them - they can be your friends.

On Sep 21, 2006, at 9:45 AM, Kevin Hinze wrote:

New to the list, so hope this has not already been covered numerous

I have been asked to move from a restrictive policy of only allowed/
permitted ports are allowed through the Firewall to a permissive
policy of deny known “bad” port/protocols and allow all else. Does
anyone have lists, bookmarks or the like to show a list of known
“bad” ports? I believe this is a bad idea but need some
information to prove how difficult it will be to manage.

Thanks in advance,

Kevin Hinze

Good judgment comes with experience. Unfortunately, the experience
usually comes from bad judgment.
Kevin Hinze mailto:kevin.hinze@xxxxxxxxxxxxxx
Intranet Systems Engineer The Navigators

firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
  • Re: Is secedit.exe left by a hacker?
    ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...