Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] RE: Specifically allowing access services vs. specifica lly denyin g them

To: "'[email protected]'" <[email protected]>, [email protected]
Subject: RE: [FW1] RE: Specifically allowing access services vs. specifica lly denyin g them
From: "Murphy, Paul" <[email protected]>
Date: Fri, 3 Nov 2000 12:11:58 -0000
Sender: [email protected]


This process should start with a security policy.  Each department should
state the requirements they have for access outside of the borders of the
network you control, and justify them.  Build a document that states this
and have it signed off by the board.

Then implement a change control procedure where changes need to be requested
and assessed.

This method of letting stuff through because people appear to be using it is
not security, as you, the person responsible for maintain security, have no
view of what is coming in and out of the firewall.

I know this is all easily said, but you may as well not bother otherwise.  I
ask you, how many connections that you see used are trojans?  How do you
know?

Paul.


-----Original Message-----
From: Doug Schmidt [mailto:[email protected]]
Sent: 02 November 2000 20:07
To: 'Frank Tirado'; Doug Schmidt;
[email protected]
Subject: [FW1] RE: Specifically allowing access services vs.
specifically denyin g them



Well, you could just put a somewhat generic policy in place which allows the

services you know you need, and deny everything else.
When people start complaining of broken services, alter the policy
accordingly.

or if your environment will not allow things to be done that way, you could
allow
all services you know you need, and then permit everything else but log this
traffic.
Then take time to analyze the logs, find out what looks like it could be
legit traffic.
Verify this is legit traffic, and alter the policy accordingly.

Either way, its going to take some time and analysis of the traffic to find
the unknowns.
You may need to consult within your different departments, and find out who
knows what about services on each of the servers.

I have gone through this process already, but my environment allowed me to
take option #1.
But then again, most of our services are pretty much standard for our
production network, and the unknowns on our internal network. So our
approach, had little to no impact on the production network.

~Doug



-----Original Message-----
From: Frank Tirado [mailto:	]
Sent: Thursday, November 02, 2000 1:49 PM
To: [email protected]; [email protected]
Subject: Specifically allowing access services vs. specifically denying
them


  Typically, our posture has been to allow services out through the
firewall unless specifically denied.  Soon, however, we will be
"asked" to specifically allow only those outgoing services which are
required.  

  We decided to get a head start on things and try it out ourselves. 
We kept finding needed services that we had no idea existed (for
example, http through unusual port numbers) and having to include them
in the rules.  My personal feeling is that this should be included
among the labors of Tartarus as a never ending task.

  Has anyone out there gone through this proccess, and if so, how
successful was it?

Regards,
  Frank


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


-----------------------------------------------------------------------------------------------------------------------
This e-mail is intended only for the above addressee.  It may contain
privileged information. If you are not the addressee you must not copy,
distribute, disclose or use any of the information in it.  If you have
received it in error please delete it and immediately notify the sender.

evolvebank.com is a division of Lloyds TSB Bank plc.
Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS.  Registered in
England, number 2065.  Telephone No: 020 7626 1500
Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
Edinburgh EH2 4LH.  Registered in Scotland, number 95237.  Telephone
No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
Personal Investment Authority and represent only the Scottish Widows
and Lloyds TSB Marketing Group for life assurance, pensions and
investment business.

Members of the UK Banking Ombudsman Scheme and signatories to the UK
Banking Code.
-----------------------------------------------------------------------------------------------------------------------


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] PROBLEM WITH DR. WATSON !!! with fw.exe !!!!
Next by Date: [FW1] TACACS+ Problem
Previous by thread: RE: [FW1] PROBLEM WITH DR. WATSON !!! with fw.exe !!!!
Next by thread: [FW1] TACACS+ Problem
Index(es):
- Date
- Thread