This is a multi-part message in MIME format.

--===============1151888964==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C6DE8D.5B2A5A04"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C6DE8D.5B2A5A04
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

New or not, this is a place for questions. Here goes...

=20

There's not really a list of the "bad" ports/protocols but more
accurately a list of ports/protocols that your company needs to use.

Best option would be to create an outbound ACL with a "permit ip any any
log" and then analyze your log results after a few days/weeks to
determine the extent of ports that are used across your firewall if you
don't know that already.

Caveat with this option: if you're running a large volume of outbound
traffic you could choke your firewall with logging everything outbound
like that so be prudent with the level of logging you choose.

=20

Based upon your analysis you should be able to come up with a nice list
of ports/protocols that are needed/in use by your installation and can
then begin whittling down the list to the bare essentials while denying
the rest without impacting overall operations of the company.

=20

HTH,

Brandon

=20

________________________________

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Kevin Hinze
Sent: Thursday, September 21, 2006 10:45 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Permissive Firewall Policy

=20

New to the list, so hope this has not already been covered numerous
times.

I have been asked to move from a restrictive policy of only
allowed/permitted ports are allowed through the Firewall to a permissive
policy of deny known "bad" port/protocols and allow all else. Does
anyone have lists, bookmarks or the like to show a list of known "bad"
ports? I believe this is a bad idea but need some information to prove
how difficult it will be to manage.

Thanks in advance,

Kevin Hinze


--=20
Good judgment comes with experience. Unfortunately, the experience
usually comes from bad judgment.
__________________________________________________ _________________
Kevin Hinze mailto:kevin.hinze@navigators.org
Intranet Systems Engineer The Navigators




This message is intended only for the person(s) to which it is addressed =

and may contain privileged, confidential and/or insider information. =

If you have received this communication in error, please notify us =

immediately by replying to the message and deleting it from your computer=
=2E =

Any disclosure, copying, distribution, or the taking of any action concer=
ning
the contents of this message and any attachment(s) by anyone other =

than the named recipient(s) is strictly prohibited.
=0D
------_=_NextPart_001_01C6DE8D.5B2A5A04
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

xmlns=3D"urn:schemas-microsoft-comfficeffice" =
xmlns:w=3D"urn:schemas-microsoft-comffice:word" =
xmlns:st1=3D"urn:schemas-microsoft-comffice:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Dus-ascii">


Permissive Firewall Policy
namespaceuri=3D"urn:schemas-microsoft-comffice:smarttags"
name=3D"place"/>
namespaceuri=3D"urn:schemas-microsoft-comffice:smarttags"
name=3D"City"/>









style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>New or not, this is a place for =
questions.
Here goes…>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>There’s not really a list of =
the “bad”
ports/protocols but more accurately a list of ports/protocols that your =
company
needs to use.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Best option would be to create an =
outbound
ACL with a “permit ip any any log” and then analyze your log
results after a few days/weeks to determine the extent of ports that are =
used
across your firewall if you don’t know that =
already.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Caveat with this option: if =
you’re
running a large volume of outbound traffic you could choke your firewall =
with
logging everything outbound like that so be prudent with the level of =
logging
you choose.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Based upon your analysis you should =
be
able to come up with a nice list of ports/protocols that are needed/in =
use by
your installation and can then begin whittling down the list to the bare
essentials while denying the rest without impacting overall operations =
of the
company.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>HTH,>>



lace w:st=3D"on"> size=3D2
color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>Brandon
lace>
color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>





size=3D3
face=3D"Times New Roman">






style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:
size=3D2
face=3DTahoma>
firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] style=3D'font-weight:bold'>On Behalf Of
Kevin Hinze

Sent: Thursday, September =
21, 2006
10:45 AM

To:
firewall-wizards@listserv.icsalabs.com

Subject: [fw-wiz] =
Permissive
Firewall Policy
>>





style=3D'font-size:
12.0pt'>>



face=3DVerdana> style=3D'font-size:9.0pt;font-family:Verdana'>New to the list, so hope =
this has
not already been covered numerous times.



I have been asked to move from a restrictive policy of only =
allowed/permitted
ports are allowed through the Firewall to a permissive policy of deny =
known
“bad” port/protocols and allow all else.  Does anyone =
have
lists, bookmarks or the like to show a list of known “bad” =
ports?
 I believe this is a bad idea but need some information to prove =
how
difficult it will be to manage.



Thanks in advance,



Kevin Hinze





--

style=3D'font-size:7.5pt;
font-family:Verdana'>Good judgment comes with experience. Unfortunately, =
the
experience

usually comes from bad judgment.

style=3D'font-size:
9.0pt;font-family:"Bookman Old =
Style"'>__________________________________________________ _______________=
__

Kevin Hinze
            &=
nbsp;          color=3Dblue> href=3D"mailto:kevin.hinze@navigators.org">mailto:kevin.hinze@navigators.=
org


Intranet Systems Engineer
            &=
nbsp;       The
Navigators>>











This message is intended only for the person(s) to which it is addressed =

and may contain privileged, confidential and/or insider information. =

If you have received this communication in error, please notify us =

immediately by replying to the message and deleting it from your computer=
=2E =

Any disclosure, copying, distribution, or the taking of any action concer=
ning
the contents of this message and any attachment(s) by anyone other =

than the named recipient(s) is strictly prohibited.
=0D
------_=_NextPart_001_01C6DE8D.5B2A5A04--

--===============1151888964==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============1151888964==--