Re: [fw-wiz] Firewall best practices

Jason Lewis wrote:
While I believe the only allow what you need is a good rule, it's
impossible to enforce in a lot of scenarios.

That's quite true. There's the ideal, and then there is the
reality. Sometimes they don't match up, and we're left with
only reality. As some wise wag once put it: "if wishes
were horses, even beggars would ride"

How many small
businesses have no firewall admins and do the configuration

Then they should expect less good results. That's the
trick. "Hey, given that I can only spend 10 minutes
on this, don't blame me when something goes wrong."
In this case the employee/security manager needs to
shift from trying to secure the perimeter to trying
to protect their job. Instead of analyzing which
ports are open, keep an eye on the job-market in your
area. Instead of mapping network connectivity, network
with your peers and look for a job in a place that
has better executive management. Remember the story
of the boy on the burning deck? There are actually
3 "take-aways" from it not 1; yes - 1) the boy was noble but
2) the boy died and 3) the ship sank anyway.

Do you think they are going to spend the time examining
what ports should be open based on what their users are using? No,
they will open ports until it works.

And they'll eventually be hosting malware central.
You're completely correct; it's reality. The place
where unreality sets in is only when people do a
half-assed job and expect full-assed results.

Last time I checked every
linksys router comes with allow all outbound by default. How many
people change that?

Only a few. They're called "the guys who don't get
hacked to pieces." The other guys are called "the
guys with conficker."

The point of my question was if you're forced into a position to open
everything, what ports *should* you always block and why.

You did the equivalent of asking for "the best recipe
for beef stroganoff for a man who has no beef."

response below doesn't help that IT guy with no experience or time to
research everything.

Nothing can help him. He's screwed. He should spend
his time on other things like keeping his resume up
to date, playing office politics to get promoted, and
day-trading stock to make as much money as he can
so that he can retire early. I like this "let's be
pragmatic" stuff! :D

They don't want to
spend time configuring things. That's reality, default deny is a

For them, "security" is also a dream. The problem is
merely one of "how do I avoid having to listen to them
complain when they get pwnz0red?" rather than "how do
I secure the network."

See? Pragmatism is mostly a matter of picking what
problem you're really trying to solve.

Marcus J. Ranum CSO, Tenable Network Security, Inc.
firewall-wizards mailing list

Relevant Pages

  • Summer TV schedule most-crowded ever
    ... making a big push for first-run scripted series. ... Reality still rules the warm weather months on the nets. ... Everybody wants to be USA Network. ...
  • Strike may boost CWs reality lineup
    ... Network faces winter reality check ... a writers strike helped steer viewers to the fledgling Fox ... With a large slate of reality shows ready to bow, ... Ostroff, who?s still quick to express her belief that ?a long strike ...
  • Next season expected to be CWs make-or-break year
    ... Reality May Be The CW's New Reality ... CBS Corp.'s perennially unprofitable ... would make the new CW network instantly profitable. ... focused on containing programming costs like never before. ...
  • Mark Burnetts slump
    ... Reality is getting a bit harsh for TV mega-producer Mark Burnett. ... appeared on network TV alone, up from eight a year earlier. ... One of those series will be Mr. Burnett's high-profile "The Apprentice: ...
  • Re: Next season expected to be CWs make-or-break year
    ... this is what qualifies as 'major' profits to Rob? ... The network loses 800 million, ... reality gains a bigger foothold on the fall schedule. ... producers, whose work is in big demand by all of the broadcast networks. ...