[fw-wiz] Permissive Firewall Policy

Scott C. Kennedy sck at nogas.org
Sat Sep 23 20:46:56 EDT 2006

The ones above 65000 are known to be bad on alternative Tuesdays,
Thursdays,  and after 7pm on the weekends.

Seriously, the problem with this question is it is the wrong way to look
at things.

If you block 31337 aka "the Back Orifice port" then someone just changes
to use 53 or 80 or 25 or you get my point. The reality is that if you're
going to just block "bad" ports, then don't use a network firewall at all,
and defend on the desktop.

Network access control is only useful when you can define what your
network should have, and you're backed with the political clout to tell
people "no."

Try to convince those who asked you "to move from a restrictive policy ...
to a permissive policy", that it's a bad idea. Try to use decent analogies
to help explain the issues to them.

My first pass would be... A restrictive policy only allows bank tellers
and managers access to the vault. A permissive policy only blocks
convicted bank robbers from accessing the vault.

Now, they can counter that the network isn't a bank vault... But at some
point, either they are convinced that it's not such a good idea, or you're
convinced that "telnet is bad, m-kay?"

Good Luck & update your resume...


On Fri, September 22, 2006 4:17 pm, Marcus J. Ranum wrote:
>  Kevin Hinze wrote:
>>Does anyone have lists, bookmarks or the like to show a list of known
>> “bad” ports?
> Any port between 1 and 65000 are known to be bad at least some of the
> time.
> mjr.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

More information about the firewall-wizards mailing list