[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Should the use of 'any' be avoided where possible?




NEVER use "any" in a rule, unless you are forced to....and the same should be said for service types.

You should always start from a DENY ALL standpoint, then define only what is necessary, and nothing more.

In some cases you would have to use "any", such as a rule to allow internet users to access a webserver.

One battle I am having, and I suppose this is a common problem....is whether to allow ICMP (echo etc) to all the hosts in my rules.
People jump to the conclusion that there is a "network" problem or they might think the server is down just because they cant "ping"
it. The problem is that ICMP can be used to tunnel nastiness and control trojans and the like, so it's dangerous to allow it.
I recommend only allowing ICMP echo to/from some management servers or engineers that really need it, and drop it for everyone else.

----- Original Message -----
From: "Allan Pratt" <[email protected]>
To: <[email protected]>
Sent: Friday, April 27, 2001 6:28 PM
Subject: [FW1] Should the use of 'any' be avoided where possible?


>
>
> Hi,
>
> Is it considered good FW-1 practice to avoid the use of 'any' in the source
> and destination fields wherever possible?
>
> It is preferable to use network objects in the source/destination so as to
> limit the scope of the rule?
>
> Thanks!
>
> Allan
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================