Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Firewall question

Firewall question 14 years 8 months ago #3080

  • weasel
  • weasel's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 3
  • Thank you received: 0
General question: In a firewall placed in a moderate to high security environment, which default policy (rule) is initially chosen and where do the rules come from that are implemented?

Re: Firewall question 14 years 8 months ago #3090

Hi

May be I dont understand the question well.

But can you explain whether u have a specific product in your mind? This can help before answering.

Regards
Cheetah
Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>

Re: Firewall question 14 years 8 months ago #3092

Weasel the default firewall stance these days is 'that which is not expressely allowed is denied'. In other words by default the firewall will drop ALL traffic and its up to you to choose what traffic it allows.

In the old days you got firewalls with the 'that which is not expressely denied is allowed' stance, meaning that it allowed everything and only blocked what you told it to. This is no longer used as firstly its much more insecure and secondly it requires much more work to choose exactly what to block.

So the default rule on every firewall these days is drop all (its sometimes known as the cleanup rule) and then you poke holes for whatever you want.

As far as how the rules are written it goes something like this :

You get the firewall, set it up with a default drop rule. Then you make a list of all services you need outgoing (for eg http, email etc) and you write rules to open those services up.

Then you list all the services you want coming inbound (if you run a webserver, mailserver etc) and you write rules to allow that inbound traffic. Thats pretty much it.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com

Re: Firewall question 14 years 8 months ago #3095

sahir though i agree with u , but i believe that you are talking in particular about the cisco ACL's implicit "deny all" statement or is it that what u say applies to most of the firewall products in the market ?? 8)

Re: Firewall question 14 years 8 months ago #3102

Nope Maximus, I'm talking about all firewall systems..
These days they all have the not expressely allowed is denied stance.. Cisco's implicit deny all is an example,

almost every iptables based firewall will also start with
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP (yes Chris we will argue about this one ;))

Checkpoint also adds the cleanup rule by default if I remember right.. something like
any source | any destination | any protocol | deny and it adds it to the bottom of the rule list.

Even the personal firewalls do the same thing.. when you run a program, it asks you whether to allow it or not.. in other words the default policy is don't accept anything.

This is known as the firewall's 'stance'.. and nowadays is the only stance used.. simply because you have to defend against 10,000 different types of attacks and have to allow only maybe 4-5 services..

Its much easier to configure what you want to allow than what you want to deny.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com

Re: Firewall question 14 years 8 months ago #3105

Hi

To put it simple & generic.

1. Drop everything by default unless otherwise specified. :)
2. Allow only what you need. ;)

Regards
Cheetah
Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
  • Page:
  • 1
Time to create page: 0.148 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup