Archive of UserLand's first discussion group, started October 5, 1998.
Re: Firewalls, Hooray
Author: Ken MacLeod Posted: 5/5/2000; 1:45:49 PM Topic: scriptingNews outline for 5/5/2000 Msg #: 17013 (In response to 16956) Prev/Next: 17012 / 17014 The people who love firewalls say that our messages circumvent the intentions of the firewall administrators. I don't think this is true. Ask people who try to run Pike behind a firewall. Oooops. It doesn't work. [FI#1]The intent of firewall administrators is to understand all the communication going across the firewall and assess its possible security impact on the organization.
Section 3.11 of the comp.security.firewalls FAQ suggests this:
For firewalls where the emphasis is on security instead of connectivity, you should consider blocking everything by default, and only specifically allowing what services you need on a case-by-case basis.
If you block everything, except a specific set of services, then you've already made your job much easier. Instead of having to worry about every security problem with everything product and service around, you only need to worry about every security problem with a specific set of services and products. :-)
Before turning on a service, you should consider a couple of questions:
- Is the protocol for this product a well-known, published protocol?
- Is the application to service this protocol available for public inspection of its implementation?
- How well known is the service and product?
- How does allowing this service change the firewall architecture? Will an attacker see things differently? Could it be exploited to get at my internal network, or to change things on hosts in my DMZ?
In essence, not a simple task and definitely something you'd want to do as few times as possible to prevent admin errors (one of the most common causes of firewall incidents).
When it comes to any particular protocol, incoming connections are far more difficult to assess than outgoing connections.