I've heard many things about a "security policy" and I understand what I
would specify on one, but could someone point me in a direction to check out
a "sample" security policy. At least I could look at what questions should
be answered by my policy. Just looking for some general guidelines. Even a
reference to a book or website would be welcome.
Thanks,
Tom McNamara, MCSE, CCNA
McNamara Professional Services
(407)822-5199 Phone
--------------------------------------------
A bus station is where a bus stops.
A train station is where a train stops.
On my desk, I have a work station...
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jim Deane
Sent: Thursday, February 01, 2001 1:28 PM
To: [EMAIL PROTECTED]
Subject: Re: What should I block???
Well, that depends.
My first recommendation would be to review your company security policy
which was signed off on by executive management. That policy should list
what types of traffic, ports, etc. your company has deemed necessary and
will allow into their environment. It should also dictate what types of
traffic will be allowed *out* of your network.
My first recommendation isn't probably terribly useful since I have found
that most companies don't have a well defined security policy blessed by the
CEO. This is, IMHO, a recipe for disaster. I would strongly recommend
either having them come up with a security policy (which will then dictate
what your ACL and FW rulebase look like), or you come up with one, but have
them "bless" it.
You should definitely set up access lists to protect the router itself (i.e.
deny telnet, SNMP, etc.) Some people also "mirror" the security policy
(i.e. rule base) on their firewall on the border router. This lets the
router receive the brunt of most port scans, etc. I would also recommend
blocking the receipt of any packet with a source address of any of the RFC
1918 addresses, any packet with a source address with a first octet of 255,
etc. You can either block the RFC 1918 addresses with an ACL, or route them
to Null0. I've seen both approaches used.
Pick long, complex passwords for your border router and use "service
password encryption" to encrypt them.
Check your logs regularly.
Be a good internet neighbor and set up outbound ACLs that only allow traffic
that originated on your network out. This cuts down on spoofing.
If your management won't sign off on whatever security policy you come up
with, make sure you figure out in advance who is responsible/culpable when
you get hacked.
If you are new to Checkpoint Firewalls and Information Security, subscribe
to the FW-1 mailing list on the Checkpoint web site. There are some great,
knowledgeable guys and gals on that list. It is focused mainly on FW-1, but
they also cover many general security concepts from time to time. Also,
check out www.phoneboy.com/fw1 for FW-1 related "stuff."
Marcus Ranum runs a good, vendor agnostic firewall mailing list at
http://www.nfr.com/mailman/listinfo/firewall-wizards
HTH,
Jim
<[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Group,
> I know that this is going to be very broad but just bare with me on
this one. We are switching over our firewall router from a bay to a cisco.
The cisco one that I am going to work on is already pre-configured except
for access-lists and filters. What they basically told me is that the
checkpoint device behind it will take care of all of the intense blocking
and forwarding, but on this FW-router we just want to block the basic things
that are usually not allowed through.
> Here's what I was hoping for. Just a basic list of things that are
normally blocked on the router above the FW. For example, I know that I'm
gonna set an inbound access-list denying telnet so that the checkpoint
doesn't even have to worry about that. I am just looking for a list of
services/ports/etc., that as a rule of thumb to you FW guru's, are usually
denied. I know this is broad and I'll understand if I don't get much
feedback. Gotta also find that whitepaper on FW's. Concidering this will be
my first time coming anywhere near a FW (FW Virgin) I'm a little nervous and
hope you guys can help out. Thanks all, =o)
>
> Mark Z...
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
