Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?

From: bobb (None@NoWhere.com)
Date: 02/19/03


From: None@NoWhere.com (bobb)
Date: Wed, 19 Feb 2003 19:04:07 GMT

On Wed, 19 Feb 2003 18:30:08 +0000 (UTC), "adeveloper"
<adeveloper@test.com> wrote:

>Just to provide some more details that don't seem to have been clear from
>the last post (see below):
>We do have a firewall but it is set up to let all IPs access the open
>ports - we can and know how to restrict this to only allowed IPs but the
>question is should we. The decision I am considering is should we restrict
>access on ports we use to administer the server to an IP range only?
>
>Some people mentioned practical considerations like access the server when
>travelling from a DHCP allocated address which is an interesting point. I
>just want to know what most people do here.
>
>Pete

I have Checkpoint FW (usd$50K) servicing 5,000 people, a couple of
mini-mainframes, and about, ugh, 50+ Win servers.

I have blocked some IP addresses, but they are known to be bad guys,
like this site from the former U.S.S.R, but otherwise I don't block
anything (incoming) IPs.

As a network admin, you gotta balance accessibility versus security
versus ease of administration.

I am lazy, sue me. My boss always want me to do more, and in
impossibly short time frame, I just don't have a whole lot of time to
spend in admnistration. If I block stuff, I have to administered
them, so I tend not to it unless it's obviously necessary or I know
it's something permanent. To this, I give priority to accessibility
versus some *maybe* unfounded security concerns. Can't do bussiness
when legitimate people can't get to my boxes in a reasonable amount of
time.

Plus I have LOTS of remote users, who can be dialing in from ANYWHERE.
Most just hit my email servers, but there is a bunch coming in through
VPN. VPN users are given restricted access for certain resources
only.

I attempt to maintain a simple SECURITY POLICY (firewall
configuration). Keep documentation current, available, and under my
control. Nobody but my boss is allowed to change this policy without
going through me. This way, when s**t happens, troubleshooting are
quick and precise.

The FW's SECURITY POLICY is your most important front-end deterrent.
It's a career in itself to how to make it properly. Sounds simple, but
it requires the right experience to create and maintain it. If you do
it piece-meal, like many smaller shop do, who can't afford to staff an
experienced administrator, you can really go nuts, and place in
security you don't need, add to your administration overhead, AND
confuse you enough and you miss the obvious stuff.

Practical stuff in my FW are: Turned off ping (so people pinging my
FW get a timeout). Turned on Denial-Of-Service Attacks. And place an
alarm on logs, so when there is excessive traffic from a destination,
I get beep'ed. Demand that my servers admin keep their server's
patches updated. Letting them know if they make a hole (hooking up
their own access without working with me), they are in big trouble.

BTW, our business is boring to hackers, if I tell people what we do,
they go "uh?" so I don't expect a lot of hacking to our site. I am
more worried about competitors, and granting access to partners, but
not too much acccess.

Well, that's what happens in my shop, you mileage varies.

-bobb



Relevant Pages