Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Firewall question

Firewall question 12 years 8 months ago #3080

  • weasel
  • weasel's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
General question: In a firewall placed in a moderate to high security environment, which default policy (rule) is initially chosen and where do the rules come from that are implemented?
The administrator has disabled public write access.

Re: Firewall question 12 years 8 months ago #3090

  • Cheetah
  • Cheetah's Avatar
  • Offline
  • Frequent Member
  • Posts: 72
  • Karma: 0
Hi

May be I dont understand the question well.

But can you explain whether u have a specific product in your mind? This can help before answering.

Regards
Cheetah
Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
The administrator has disabled public write access.

Re: Firewall question 12 years 8 months ago #3092

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Weasel the default firewall stance these days is 'that which is not expressely allowed is denied'. In other words by default the firewall will drop ALL traffic and its up to you to choose what traffic it allows.

In the old days you got firewalls with the 'that which is not expressely denied is allowed' stance, meaning that it allowed everything and only blocked what you told it to. This is no longer used as firstly its much more insecure and secondly it requires much more work to choose exactly what to block.

So the default rule on every firewall these days is drop all (its sometimes known as the cleanup rule) and then you poke holes for whatever you want.

As far as how the rules are written it goes something like this :

You get the firewall, set it up with a default drop rule. Then you make a list of all services you need outgoing (for eg http, email etc) and you write rules to open those services up.

Then you list all the services you want coming inbound (if you run a webserver, mailserver etc) and you write rules to allow that inbound traffic. Thats pretty much it.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Firewall question 12 years 8 months ago #3095

  • MaXiMuS
  • MaXiMuS's Avatar
  • Offline
  • Distinguished Member
  • Posts: 111
  • Karma: 0
sahir though i agree with u , but i believe that you are talking in particular about the cisco ACL's implicit "deny all" statement or is it that what u say applies to most of the firewall products in the market ?? 8)
The administrator has disabled public write access.

Re: Firewall question 12 years 8 months ago #3102

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Nope Maximus, I'm talking about all firewall systems..
These days they all have the not expressely allowed is denied stance.. Cisco's implicit deny all is an example,

almost every iptables based firewall will also start with
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP (yes Chris we will argue about this one ;))

Checkpoint also adds the cleanup rule by default if I remember right.. something like
any source | any destination | any protocol | deny and it adds it to the bottom of the rule list.

Even the personal firewalls do the same thing.. when you run a program, it asks you whether to allow it or not.. in other words the default policy is don't accept anything.

This is known as the firewall's 'stance'.. and nowadays is the only stance used.. simply because you have to defend against 10,000 different types of attacks and have to allow only maybe 4-5 services..

Its much easier to configure what you want to allow than what you want to deny.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Firewall question 12 years 8 months ago #3105

  • Cheetah
  • Cheetah's Avatar
  • Offline
  • Frequent Member
  • Posts: 72
  • Karma: 0
Hi

To put it simple & generic.

1. Drop everything by default unless otherwise specified. :)
2. Allow only what you need. ;)

Regards
Cheetah
Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
The administrator has disabled public write access.
Time to create page: 0.081 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup