[fw-wiz] Permissive Firewall Policy

Tim Shea tim at tshea.net
Sat Sep 23 23:07:05 EDT 2006

I am assuming outbound access.  If its inbound - then I am not sure  
what to say except game over.

Over the last 6 month period I moved the organization I am presently  
at from a "permissive" firewall policy to a "restrictive" firewall  
policy, web caching servers, and removed the internet firewall as the  
default gateway.  Here is the problems it helped mitigate:

a) firewalls were no longer going downtime due to compromised  
machines on the internal network attempting to DOS external victims
b) compromised machines on the internal network could no longer get  
their marching orders via their control channels
c) unauthorized software had a much more difficult time working (i.e.  
P2P, etc)
d) For every new virus or malware we are not in a reactive mode of  
'blocking the bad port'
e) Improved auditing to help in internal investigations

Point D is the most valid point.  Any port can be a "bad" port  
depending on the application.  Your move will only generate more work  
and more problems for the organization as you are moving from a  
proactive mode to a reactive mode.  And you have to ask yourself why  
this is being requested?   Questions I would automatically ask are:

1) What is the business driver?
2) Is it because some applications aren't "working" because of the  
3) Is the organization responsible for the firewalls not responsive  
enough for dealing with item 2?
4) Who is driving it and what is their agenda?
5) What game application a vice president is trying to play that is  
breaking due to the firewall?

This is an education opportunity and you are doing the right thing by  
asking for evidence.  I got a lot of heat for restricting access but  
I sold it as improving stability (sometimes security just doesn't  
sell so you have to look for another touch point).  In addition - in  
a lot of industries - a 'permissive' firewall policy will run afoul  
of regulators and auditors.  Use them - they can be your friends.

On Sep 21, 2006, at 9:45 AM, Kevin Hinze wrote:

> New to the list, so hope this has not already been covered numerous  
> times.
> I have been asked to move from a restrictive policy of only allowed/ 
> permitted ports are allowed through the Firewall to a permissive  
> policy of deny known “bad” port/protocols and allow all else.  Does  
> anyone have lists, bookmarks or the like to show a list of known  
> “bad” ports?  I believe this is a bad idea but need some  
> information to prove how difficult it will be to manage.
> Thanks in advance,
> Kevin Hinze
> -- 
> Good judgment comes with experience. Unfortunately, the experience
> usually comes from bad judgment.
> ___________________________________________________________________
> Kevin Hinze                       mailto:kevin.hinze at navigators.org
> Intranet Systems Engineer                     The Navigators
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

More information about the firewall-wizards mailing list