> Something that I notice is that daniel allows all outgoing TCP and UDP > traffic regardless of where it is going. > > Question: Isn't this a bad thing ? I would have thought it is best > practice to only allow incomming and outgoing connections > _explicitly_. With the reason being some OS upload information to > base camp (redmond) for statistical analsyis.
It's the old case of horses for courses. In this case it depends on which risks you are trying to mitigate and the cost of the various countermeasures that are available. If your primary concern is to protect a network from external attack and your users are likely to be using a wide variety of protocols outbound then Daniel's approach is eminently sensible. If you are protecting a bunch of servers on a DMZ which have very specific outbound requirements then your approach is the correct one. In our case where we have a network of 10,000 machines behind a pf firewall we use both approaches. Some machines are blocked entirely from the Internet, a large group has inbound access blocked and free outbound access (except for a bunch of 'banned' ports, including 135-139 ;) and then there is a much smaller number of machines that have detailed rulesets that closely control what comes in and out from the address. I note that Alex did not use the term "best practise" and this rant is not directed at him although there is a hint of this sort of thinking in his question. <rant> Is anyone else as fed up with the term "best practise" as I am. It seems to me that the term is am consultant's short hand for "I can't be bothered doing the analysis but this is what everyone else is doing so it must be OK". I keep getting asked if what we are doing is "best practise" and I have to keep responding "best practise for who?". </rant> -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
smime.p7s
Description: S/MIME cryptographic signature