Following this thought, I've never understood the "allow by default"
philosophy. I've never worked at a University nor do I know anyone
personally who does, but the idea that "we allow everything unless
we know its bad because we promote the free exchange of ideas"
has always seemed silly at best and downright idiotic and
dangerous at worst.
It has always seemed to me that if you understand the
environment, you can create a firewall ruleset that properly allows
the protocols that are being used and blocks everything else.
Setup a phone number for someone to call if they have an
application they want to use and then make the changes as
needed.
It would seem that exploits come out far faster than new
applications needing ports opened, so it would be better not only
from a security standpoint but from a practical one as well to use
this approach even at universities. It only takes a few minutes to
alter a firewall ruleset, it could take days to recover from a security
breach, if indeed you ever recover.
Course, maybe I just don't fully understand the "default permit"
point of view.
Comments welcome.
Regards,
Kent
> Date: Thu, 01 Mar 2001 08:06:38 -0000
> From: "opie san" <[EMAIL PROTECTED]>
> Subject: Re: firewalling rules
>
> First of all, you can do whatever you would like with your
> configuration. How tightly you lock down your network is strictly up
> to you and your company's security policy. The same goes for how you
> lock it down. Most companies choose to deny everything and only allow
> what they need becuase its the most secure way to set up your firewall
> short of just unplugging from the Internet.
>
> Some organizations (mainly Universities) do choose the inverse of this
> and allow everything while only blocking what they don't want to come
> in. From a security standpoint though, this type of policy is easily
> thwarted or bypassed. You can block telnet to port 23 if you would
> like but what about telnet to port 25? Someone with devious
> intentions could do this to your mail server and begin probing it for
> weaknesses. Now your FW is just an expensive set of LED's in your
> wiring closet.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
