Firewall question

General question: In a firewall placed in a moderate to high security environment, which default policy (rule) is initially chosen and where do the rules come from that are implemented?

Hi

May be I dont understand the question well.

But can you explain whether u have a specific product in your mind? This can help before answering.

Regards
Cheetah

Weasel the default firewall stance these days is 'that which is not expressely allowed is denied'. In other words by default the firewall will drop ALL traffic and its up to you to choose what traffic it allows.

In the old days you got firewalls with the 'that which is not expressely denied is allowed' stance, meaning that it allowed everything and only blocked what you told it to. This is no longer used as firstly its much more insecure and secondly it requires much more work to choose exactly what to block.

So the default rule on every firewall these days is drop all (its sometimes known as the cleanup rule) and then you poke holes for whatever you want.

As far as how the rules are written it goes something like this :

You get the firewall, set it up with a default drop rule. Then you make a list of all services you need outgoing (for eg http, email etc) and you write rules to open those services up.

Then you list all the services you want coming inbound (if you run a webserver, mailserver etc) and you write rules to allow that inbound traffic. Thats pretty much it.

sahir though i agree with u , but i believe that you are talking in particular about the cisco ACL's implicit "deny all" statement or is it that what u say applies to most of the firewall products in the market ??

Nope Maximus, I'm talking about all firewall systems..
These days they all have the not expressely allowed is denied stance.. Cisco's implicit deny all is an example,

almost every iptables based firewall will also start with
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP (yes Chris we will argue about this one )

Checkpoint also adds the cleanup rule by default if I remember right.. something like
any source | any destination | any protocol | deny and it adds it to the bottom of the rule list.

Even the personal firewalls do the same thing.. when you run a program, it asks you whether to allow it or not.. in other words the default policy is don't accept anything.

This is known as the firewall's 'stance'.. and nowadays is the only stance used.. simply because you have to defend against 10,000 different types of attacks and have to allow only maybe 4-5 services..

Its much easier to configure what you want to allow than what you want to deny.

Hi

To put it simple & generic.

1. Drop everything by default unless otherwise specified.
2. Allow only what you need.

Regards
Cheetah