I am assuming outbound access. If its inbound - then I am not sure =

what to say except game over.

Over the last 6 month period I moved the organization I am presently =

at from a "permissive" firewall policy to a "restrictive" firewall =

policy, web caching servers, and removed the internet firewall as the =

default gateway. Here is the problems it helped mitigate:

a) firewalls were no longer going downtime due to compromised =

machines on the internal network attempting to DOS external victims
b) compromised machines on the internal network could no longer get =

their marching orders via their control channels
c) unauthorized software had a much more difficult time working (i.e. =

P2P, etc)
d) For every new virus or malware we are not in a reactive mode of =

'blocking the bad port'
e) Improved auditing to help in internal investigations

Point D is the most valid point. Any port can be a "bad" port =

depending on the application. Your move will only generate more work =

and more problems for the organization as you are moving from a =

proactive mode to a reactive mode. And you have to ask yourself why =

this is being requested? Questions I would automatically ask are:

1) What is the business driver?
2) Is it because some applications aren't "working" because of the =

firewall?
3) Is the organization responsible for the firewalls not responsive =

enough for dealing with item 2?
4) Who is driving it and what is their agenda?
5) What game application a vice president is trying to play that is =

breaking due to the firewall?

This is an education opportunity and you are doing the right thing by =

asking for evidence. I got a lot of heat for restricting access but =

I sold it as improving stability (sometimes security just doesn't =

sell so you have to look for another touch point). In addition - in =

a lot of industries - a 'permissive' firewall policy will run afoul =

of regulators and auditors. Use them - they can be your friends.



On Sep 21, 2006, at 9:45 AM, Kevin Hinze wrote:

> New to the list, so hope this has not already been covered numerous =


> times.
>
> I have been asked to move from a restrictive policy of only allowed/ =


> permitted ports are allowed through the Firewall to a permissive =


> policy of deny known =93bad=94 port/protocols and allow all else. Does =


> anyone have lists, bookmarks or the like to show a list of known =


> =93bad=94 ports? I believe this is a bad idea but need some =


> information to prove how difficult it will be to manage.
>
> Thanks in advance,
>
> Kevin Hinze
>
>
> -- =


> Good judgment comes with experience. Unfortunately, the experience
> usually comes from bad judgment.
> __________________________________________________ _________________
> Kevin Hinze mailto:kevin.hinze@navigators.org
> Intranet Systems Engineer The Navigators
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards