[fw-wiz] Permissive Firewall Policy
tim at tshea.net
Sat Sep 23 23:07:05 EDT 2006
I am assuming outbound access. If its inbound - then I am not sure
what to say except game over.
Over the last 6 month period I moved the organization I am presently
at from a "permissive" firewall policy to a "restrictive" firewall
policy, web caching servers, and removed the internet firewall as the
default gateway. Here is the problems it helped mitigate:
a) firewalls were no longer going downtime due to compromised
machines on the internal network attempting to DOS external victims
b) compromised machines on the internal network could no longer get
their marching orders via their control channels
c) unauthorized software had a much more difficult time working (i.e.
d) For every new virus or malware we are not in a reactive mode of
'blocking the bad port'
e) Improved auditing to help in internal investigations
Point D is the most valid point. Any port can be a "bad" port
depending on the application. Your move will only generate more work
and more problems for the organization as you are moving from a
proactive mode to a reactive mode. And you have to ask yourself why
this is being requested? Questions I would automatically ask are:
1) What is the business driver?
2) Is it because some applications aren't "working" because of the
3) Is the organization responsible for the firewalls not responsive
enough for dealing with item 2?
4) Who is driving it and what is their agenda?
5) What game application a vice president is trying to play that is
breaking due to the firewall?
This is an education opportunity and you are doing the right thing by
asking for evidence. I got a lot of heat for restricting access but
I sold it as improving stability (sometimes security just doesn't
sell so you have to look for another touch point). In addition - in
a lot of industries - a 'permissive' firewall policy will run afoul
of regulators and auditors. Use them - they can be your friends.
On Sep 21, 2006, at 9:45 AM, Kevin Hinze wrote:
> New to the list, so hope this has not already been covered numerous
> I have been asked to move from a restrictive policy of only allowed/
> permitted ports are allowed through the Firewall to a permissive
> policy of deny known “bad” port/protocols and allow all else. Does
> anyone have lists, bookmarks or the like to show a list of known
> “bad” ports? I believe this is a bad idea but need some
> information to prove how difficult it will be to manage.
> Thanks in advance,
> Kevin Hinze
> Good judgment comes with experience. Unfortunately, the experience
> usually comes from bad judgment.
> Kevin Hinze mailto:kevin.hinze at navigators.org
> Intranet Systems Engineer The Navigators
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
More information about the firewall-wizards