This is a discussion on Re: [fw-wiz] Permissive Firewall Policy - Firewalls ; I am assuming outbound access. If its inbound - then I am not sure = what to say except game over. Over the last 6 month period I moved the organization I am presently = at from a "permissive" firewall ...
I am assuming outbound access. If its inbound - then I am not sure =
what to say except game over.
Over the last 6 month period I moved the organization I am presently =
at from a "permissive" firewall policy to a "restrictive" firewall =
policy, web caching servers, and removed the internet firewall as the =
default gateway. Here is the problems it helped mitigate:
a) firewalls were no longer going downtime due to compromised =
machines on the internal network attempting to DOS external victims
b) compromised machines on the internal network could no longer get =
their marching orders via their control channels
c) unauthorized software had a much more difficult time working (i.e. =
d) For every new virus or malware we are not in a reactive mode of =
'blocking the bad port'
e) Improved auditing to help in internal investigations
Point D is the most valid point. Any port can be a "bad" port =
depending on the application. Your move will only generate more work =
and more problems for the organization as you are moving from a =
proactive mode to a reactive mode. And you have to ask yourself why =
this is being requested? Questions I would automatically ask are:
1) What is the business driver?
2) Is it because some applications aren't "working" because of the =
3) Is the organization responsible for the firewalls not responsive =
enough for dealing with item 2?
4) Who is driving it and what is their agenda?
5) What game application a vice president is trying to play that is =
breaking due to the firewall?
This is an education opportunity and you are doing the right thing by =
asking for evidence. I got a lot of heat for restricting access but =
I sold it as improving stability (sometimes security just doesn't =
sell so you have to look for another touch point). In addition - in =
a lot of industries - a 'permissive' firewall policy will run afoul =
of regulators and auditors. Use them - they can be your friends.
On Sep 21, 2006, at 9:45 AM, Kevin Hinze wrote:
> New to the list, so hope this has not already been covered numerous =
> I have been asked to move from a restrictive policy of only allowed/ =
> permitted ports are allowed through the Firewall to a permissive =
> policy of deny known =93bad=94 port/protocols and allow all else. Does =
> anyone have lists, bookmarks or the like to show a list of known =
> =93bad=94 ports? I believe this is a bad idea but need some =
> information to prove how difficult it will be to manage.
> Thanks in advance,
> Kevin Hinze
> -- =
> Good judgment comes with experience. Unfortunately, the experience
> usually comes from bad judgment.
> __________________________________________________ _________________
> Kevin Hinze mailto:firstname.lastname@example.org
> Intranet Systems Engineer The Navigators
> firewall-wizards mailing list
firewall-wizards mailing list