Good Firewalling (Hardware Firewall Admins)

[Oaf357]

Essentially, the most effective way to make a network safe is to block everything inbound and allow only the protocols you have to have to go outbound.

Being that this obviously isn't possible in every environment, what are some recommendations (general port blocking, etc.) for restricting access from WAN to LAN.

 

[gaidin123]

You hit the nail on the head with your first statement. You want to disallow absolutely everything you possible can, and only allow what is required whether that's by your choice, company policy, etc.

In general though, aside from the above statement, you always want to block non-routable IP blocks (192.168.0.0/24, 10.0.0.0/8, 172.16, etc.) from entering or exiting your network, along with various types of forged packets.

As for blocking specific ports, it depends entirely on what ports your business requires to be open whether for clients or your CEO demands it or...Block everything you can and open up the required ports to the specific servers.

For every port and type of traffic you do not block, you are making your firewall less effective.

Gaidin

 

[Goosemaster]

I guess making sure that FTPs and such are in the eqivalent of the business DMZ to keep the firewall strong

 

[LANMAN]

One other item you could block are overseas domains that you know your business wouldn't need access to. There are alot of attacks coming from countries that don't have restrictions or laws that govern what they can and/or cannot do while on the internet.

Ie.. if your going to setup a Pizza ordering E-com site, why make your web server available to overseas domains? You going to overnight the pizza on the Concorde?

See where I'm going? You have to fine tune your business procedures and policies for areas like this to avoid accidential blocking of a domain you find to be a vaild business partner.

---LANMAN


Anyone want to give him advise on UDP ports?

 

[Oaf357]

Ah... but using domain names is not entirely effective. Any clue though as to whether or not this is possible. Were talking about what 80+ countries right? A listing perhaps of foreign countries would be helpful.

 

[Oaf357]

bump

 

[randal]

Off the top of my head, I know that we kill everything < 1024 inbound on UDP, minus DNS. I'm sure there are a couple exceptions, though.

For inbound to our servers from the internet via TCP, we kill everything except 20, 21, 22, 23, 25, 80, 110, 119, 443, 3389. (ftp data, ftp control, ssh, telnet, smtp, http, pop3, nntp, https, term.services, respectively.) 22, 23 and 3389 are blocked off 100% except for from particular originating IP addresses.

I'm sure there are a truckload of other little things, but that would be where I'd start. Oh, keep in mind that if you have multiple interfaces going that you need to firewall them off from each other. *very important* - don't need anybody compromising you from your own network.

randal

 

[Oaf357]

Now that's the kind of info I'm looking for.

Thanks randal. Please I'd like some more opinions and info.

 

[randal]

Oh, another thing ... we generally block *all* outbound from our servers (barring email) unless the session is already established -- meaning that our servers don't surf the web, they don't get windows updates from anywhere but our internal AD Controller, they don't go out on the net and do anything. Ever. This also very much limits their abilities if they *do* get compromised, as they can't be used for anything.

We had a big problem with that implementaiton and UDP, as there is no such thing as an "established connection" with it. We eventually determined that we'd be okay if we locked all incoming UDP down (exception: 53/dns) and allowed all outbound UDP 1024+ ... I still don't think this is very safe, as our servers could still wreck havoc on the internet ... maybe I'm novice / ignorant, but I haven't figured out a way to lock win2k into using a particular port range for outbound udp connections.

cheers,
randal

 

[skyking]

Port 23 (telnet) is one of the biggest security holes you can leave open, IMO. It is an easily exploited protocol, and best shut down at the firewall, unless you have a specific need for it. I try to do everything via SSH, if possible.

 

[randal]

Yes, telnet is a huge security hole, but if you have any legacy Cisco equipment (IOS less than 12.0.5.S) like we do, then you can't do SSH sessions ... which leaves telnet open (although heavily acl'd), despite the huge amount of insecurity it delivers.

randal

 

[astralnaut]

In response to locking down Windows 2000 servers to use specific ports in the range about 1024, this topic comes up most often with Active Directory, RPC, Misc. usage. There is a registry setting that allows you to set the ports used in the dynamic range. Reference Technet#224196

Original Message by randal:
-----------------------------------
We eventually determined that we'd be okay if we locked all incoming UDP down (exception: 53/dns) and allowed all outbound UDP 1024+ ... I still don't think this is very safe, as our servers could still wreck havoc on the internet ... maybe I'm novice / ignorant, but I haven't figured out a way to lock win2k into using a particular port range for outbound udp connections.

 

[Oaf357]

So telnet is definitely getting locked down.

This is good stuff here people. Thanks.

Typically when I setup a firewall I'll have it locked down tight, then as users functions on the Internet stop working I'll take calls and ask whether or not the program their using is a necessity. If it is then I will see if there are other people that use the same thing and reluctantly open a hole if there is. I will take this same approach when setting up the firewall at my house, whenever I finally get to it (this week or next).

 

[n0cmonkey]

Originally posted by: Oaf357
So telnet is definitely getting locked down.

This is good stuff here people. Thanks.

Typically when I setup a firewall I'll have it locked down tight, then as users functions on the Internet stop working I'll take calls and ask whether or not the program their using is a necessity. If it is then I will see if there are other people that use the same thing and reluctantly open a hole if there is. I will take this same approach when setting up the firewall at my house, whenever I finally get to it (this week or next).

I think there is an almost official term for that approach, but it has slipped my mind at the moment...

 

[Oaf357]

Mine too. That's why I had to explain it out like that.

 

[skyking]

I think there is an almost official term for that approach, but it has slipped my mind at the moment

Edit: You guys are no fun 'tall

 

[Buddha Bart]

Typically when I setup a firewall I'll have it locked down tight, then as users functions on the Internet stop working I'll take calls and ask whether or not the program their using is a necessity. If it is then I will see if there are other people that use the same thing and reluctantly open a hole if there is.

Wow... thats as unprofessional as it is assinine.

 

[randal]

Originally posted by: astralnaut
In response to locking down Windows 2000 servers to use specific ports in the range about 1024, this topic comes up most often with Active Directory, RPC, Misc. usage. There is a registry setting that allows you to set the ports used in the dynamic range. Reference Technet#224196

Although our issue is primarily with locking down internet-bound udp packets, your reference helped me fix a problem we were having on a remote site. Many thanks!

randal