NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Specifically allowing access services vs. specifically denying them

We do much the same thing, and yes it is a struggle to keep on top of it.
We have a formalised request procedure requiring the paw print of both the
requesting user, his/her immediate manager, which is then vetted by
internal IT Security,  Add change control to this and you do impose
significant delay in getting simple requests actioned.  Each request is
given a finite life span, and is reviewed then kept/removed as appropriate
at the end of this period - being able to place expiry dates on
rules/objects would help us massively here, but........

The key is strong request procedures that have top level management
support.  If people feel that they can get protocols allowed by side
stepping the procedures, they will.

Regards





[email protected]@lists.us.checkpoint.com on 02/11/2000 18:48:36

Sent by:  [email protected]


To:   [email protected], [email protected]
cc:
Subject:  [FW1] Specifically allowing access services vs. specifically
      denying them



  Typically, our posture has been to allow services out through the
firewall unless specifically denied.  Soon, however, we will be
"asked" to specifically allow only those outgoing services which are
required.

  We decided to get a head start on things and try it out ourselves.
We kept finding needed services that we had no idea existed (for
example, http through unusual port numbers) and having to include them
in the rules.  My personal feeling is that this should be included
among the labors of Tartarus as a never ending task.

  Has anyone out there gone through this proccess, and if so, how
successful was it?

Regards,
  Frank


================================================================================

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.