Steven:
Most firewalls have an 'implicit denial' feature that states that anything not
specifically allowed is disallowed. Your average everyday
overly-paranoid security admin will usually throw in a rule at the end of the ruleset
that denies everything. Firewalls tend to read the
rules in numerical order, so if a packet comes in and gets a match on rule 5, the
firewall will not look any further, it will simply
perform the action specified by rule 5. There are exceptions to this, but in general
it holds true. This means that you can explicitly
allow all the services you want to pass through your firewall, then put a rule at the
end that basically says "deny everything".
Denying ports is essentially the same thing as denying services. Services are defined
by the ports they run on. For example, standard
http runs on port 80, so if you want to deny all http on a packet-filtering firewall,
you would deny all traffic to port 80. Proxy based
firewalls and stateful inspection firewalls do not work exactly the same, but the idea
is similar.
Your general approach to developing a security policy should go something like this:
1> Sit down with whomever you need to and figure out what programs/services/etc you
want to work from the inside out and from the
outside in.
2> Research each of these programs/services and find out what ports it uses.
3> Write your firewall policy to allow only those programs/services, then put the
deny all rule at the end.
Doing this should give you a very good start.
-Ryan
Steven Pierce wrote:
> Jon,
>
> I am new to all of this. What is needed to deny all the ports? I know about dening
>the specifc IP or user base. Is that the same??
>
> Steven
>
> *********** REPLY SEPARATOR ***********
>
> On 3/6/2000 at 11:14 AM Jon Earle wrote:
>
> >I normally block all _inbound_ access, except to ports I expressly allow:
> >tcp/25, udp/53 + tcp/53 (with BIND config. restrictions on who can initiate
> >zone transfers), tcp/80, and maybe one or two others, depending on our
> >requirements. Source ports on packets destined for these services are
> >restricted to unpriviledged ports (1024:65535), except in the case of
> >udp/53, in which I allow unrestricted (remote) source ports. Inbound
> >packets are restricted to the access granted above, plus response packets
> >destined for unprivileged ports, coming from services expressly allowed in
> >the outbound rules.
> >
> >I typically restrict outbound access to specific services (tcp/80, tcp/21
> >and a few others for clients, tcp/25, tcp/udp/53 for the firewall), and
> >block source ports which are less than 1024, thus only allowing
> >unpriviledged source ports for outbound access. This is good to control
> >exactly what is leaving your network, but depending on your requirement
> >(home LAN vs client LAN) you may or may not want to allow all outbound access.
> >
> >So, yes, it sounds like you're on a good start: deny everything, then open
> >up only what you need.
> >
> >
> >At 03:34 PM 3/6/00 +0000, you wrote:
> >>Hi,
> >>We are going to using altavista firewall and proxy on a NT box. I know
> >>that I sould
> >>close all other services on NT,
> >>change administration account name,
> >>block 6665-7000 for chat
> >>block all tcp/udp except 80.
> >>What else sould I do, for example what is BO trojan ports?
> >>Can somebody send port numbers and/or other things that sould I write to
> >>my firewall.
> >>thanks.
> >>______________________________________________________
> >>Get Your Private, Free Email at http://www.hotmail.com
> >>
> >>-
> >>[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >>"unsubscribe firewalls" in the body of the message.]
> >
> >-----------------------------------------------------------------
> >Jon Earle (613) 612-0946 (Cell)
> >HUB Computer Consulting Inc. (613) 830-1499 (Office)
> >http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
> >
> >"God does not subtract from one's alloted time on Earth,
> >those hours spent flying." --Unknown
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
