Should a firewall ONLY allow access to an IP range - as well as blocking ports?

From: sponge (yosponge@yahoo.com)
Date: 02/20/03

  • Next message: sponge: "Re: List of known bad-boys?" 
    From: yosponge@yahoo.com (sponge)
Date: 19 Feb 2003 15:23:12 -0800

    On Wed, 19 Feb 2003 18:30:08 +0000 (UTC), "adeveloper"
    <adeveloper@test.com> wrote:

    >Just to provide some more details that don't seem to have been clear
    from
    >the last post (see below):
    >We do have a firewall but it is set up to let all IPs access the open
    >ports - we can and know how to restrict this to only allowed IPs but
    the
    >question is should we. The decision I am considering is should we
    restrict
    >access on ports we use to administer the server to an IP range only?
    >
    >Some people mentioned practical considerations like access the server
    when
    >travelling from a DHCP allocated address which is an interesting
    point. I
    >just want to know what most people do here.
    >
    >Pete

    Why would you NOT want to? If you have no need to "talking" to certain
    IPs, block them. Merely restricting port access does little to protect
    you, especially when client software might be accessing things it
    shouldn't be.

    Case in point: I do a lot of research on commercial spyware, and have
    developed a firewall ruleset to block access to those. The security
    implications of these products should be obvious but I'll go into them
    if necessary. The problem is that many kinds of spyware work by
    infecting trusted applications like Internet Explorer, so even an
    application-level firewall does absolutely zip to stop them. And since
    everybody allows access to the HTTP port, there is nothing by default
    either a software or network firewall can do to stop them either.
    Therefore, the only way to stop them (aside from maintaining strict
    control over application installation, which doesn't always work and
    can be a nightmare) is to block the known bad-guys' IP ranges.

    Sponge
    Sponge's Anti-Spyware Source
    www.geocities.com/yosponge

    Relevant Pages

    • Re: black ice usage question
      ... > to restrict the entire machine from accessing certain ports either. ... > good firewall will allow the user to restrict all access to only the ... > when it comes to outbound protection. ...
      (comp.security.firewalls)
    • Re: block_ssh_guessers
      ... True but then, how fat is the pipe, compared to firewall device. ... the knocking host tries ports OTHER THAN the expected ones in the sequence ... checking the IPs being spoofed. ... We pay a bandwidth fee, ...
      (comp.os.linux.security)
    • Re: Trouble accessing Outlook Web Access from behind firewall
      ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
      (comp.security.firewalls)
    • Re: iptables configuration
      ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
      (comp.os.linux.security)
    • Re: Should a firewall ONLY allow access to an IP range - as well as blocking ports?
      ... >We do have a firewall but it is set up to let all IPs access the open ... >access on ports we use to administer the server to an IP range only? ... developed a firewall ruleset to block access to those. ...
      (comp.security.misc)
    • Quantcast