Policy
........
It seems there are so many reasons to not just allow
all outgoing access to the web these days.
ports 138,139, 445, back oriface...
I am considering doing a "deny unless explicitly
allowed" policy and then allowing what is needed. Like
I do at home with IPCHAINS.
I think this is a good policy and if nothing else, it
forces you to be aware of what is going on.
implementation
...............
The pix as I undestand has a security level assigned
to each interface. The lower security interfaces will
always trust the higher security interfaces. The
"access-list" or "outbound" ( prefer outbound command
) commands can be used to "selectivly" deny or permit
access as required.
Will the trust between interfaces prevent me from
successfuly implementing a default "deny unless
explicitly allowed" outgoing policy.
I think this default policy should be feasible.
I have been told otherwise by a consultant, and I
think he might be wrong.
tia
Todd
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
