[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] RE: Specifically allowing access services vs. specifically denyin g them
Well, you could just put a somewhat generic policy in place which allows the services you know you need, and deny everything else. When people start complaining of broken services, alter the policy accordingly. or if your environment will not allow things to be done that way, you could allow all services you know you need, and then permit everything else but log this traffic. Then take time to analyze the logs, find out what looks like it could be legit traffic. Verify this is legit traffic, and alter the policy accordingly. Either way, its going to take some time and analysis of the traffic to find the unknowns. You may need to consult within your different departments, and find out who knows what about services on each of the servers. I have gone through this process already, but my environment allowed me to take option #1. But then again, most of our services are pretty much standard for our production network, and the unknowns on our internal network. So our approach, had little to no impact on the production network. ~Doug -----Original Message----- From: Frank Tirado [mailto:[email protected]] Sent: Thursday, November 02, 2000 1:49 PM To: [email protected]; [email protected] Subject: Specifically allowing access services vs. specifically denying them Typically, our posture has been to allow services out through the firewall unless specifically denied. Soon, however, we will be "asked" to specifically allow only those outgoing services which are required. We decided to get a head start on things and try it out ourselves. We kept finding needed services that we had no idea existed (for example, http through unusual port numbers) and having to include them in the rules. My personal feeling is that this should be included among the labors of Tartarus as a never ending task. Has anyone out there gone through this proccess, and if so, how successful was it? Regards, Frank ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|