Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
- From: Duane Arnold <"Do forget about it"@PleaeDo.BET>
- Date: Tue, 22 Aug 2006 00:17:04 GMT
Leythos wrote:
Ok, I've got a little time this week, so I thought I would take the lead from another thread and start this new thread.
So, here are the simple rules - no RFC's make any difference, no technical documents make any difference, etc...
After we get our basic features list setup/created, we'll start looking at what we consider a reasonable implementation vs what we want, so lets start with what we want first.
It's very simple, what do you consider the standard features are for a firewall appliance?
1) A firewall should block all outbound by default (as shipped).
2) A firewall should block all inbound by default (as shipped).
3) A firewall should know the difference between protocols: HTTP and DNS as an example. Nothing should pass through a rule except the proper protocol it was configured for.
4) A firewall should support direct VPN connections to/from itself, as a end-point.
5) A firewall should have a real DMZ if it claims to have a DMZ - meaning that it should have a physical jack for a DMZ that is not part of the same network as the LAN.
6) A firewall with a DMZ/LAN should have no default rules allowing access between them.
7) A firewall should clearly log/report all traffic, in/out, and make it easy to determine if it was approved/unapproved, etc...
8) A firewall should be able to detect threats, internal and external, on any port, and block those attack origination locations from access.
9) A firewall should be able to allow the user to create rules that can be used to cause the blocking of hosts attaching via specific rule (ports) - this would be used to block access from hosts probing the firewall for open ports, or to block worms (TCP 1433/1434 as an example).
10) A firewall should provide for multiple subnets on any network interface.
11) A firewall should not have DHCP Service enabled on the LAN/DMZ by default.
12) A firewall should be certified as a firewall by some reputable authority.
Please feel free to add to this list.
Again, remember, this is not what is available, it's what YOU WANT in a firewall. We'll talk about what is reasonable and available later.
A FW should be able to filter traffic based on the OSI model.
A FW should be able to set protocol filtering rules beyond TCP or UDP. It should be able to filter both inbound or outbound traffic by protocol numbers given.
If its a host based network FW solution, then it must be using two NIC's. One NIC must face the WAN the untrusted zone and the other NIC must face the LAN the trusted zone.
This holds true for a FW solution that is an appliance I believe. That in its Admin interface, it must show the untrusted and trusted zones.
Duane :)
.
- Follow-Ups:
- Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
- From: Volker Birk
- Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
- From: Ansgar -59cobalt- Wiechers
- Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
- Prev by Date: Re: Configure PIX with VPN using Individual User Authentication
- Next by Date: Re: software/hardware Firewall tradeoff
- Previous by thread: Configure PIX with VPN using Individual User Authentication
- Next by thread: Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
- Index(es):
Relevant Pages
|
