Date: Thu, 29 Jul 2010 12:17:49 +0100 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: Peter Maxwell <peter@allicient.co.uk> Cc: "Spenst, Aleksej" <Aleksej.Spenst@harman.com>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: For better security: always "block all" or "block in all" is enough? Message-ID: <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local>, <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Ask anyone who has done commercial firewall work...." <Rollseyes> Yes Peter, of course Peter </Rollseyes> =20 Meanwhile in the real world.... There are Governance, Risk, and Compliance reasons for logging all attempts= to bypass security policy by hitting the default deny rule. =20 These reasons are both de-facto and de-jure obligatory.=20 The Operational and Reputational risks of driving security control points b= lind, far outweigh the tiny residual risk of a putative DoS attack against = a firewall policy with default block logging enabled.=20 Having made PF on FreeBSD bleed in the past through various nefarious testi= ng methods, I can't say that taking the firewall offline through resource e= xhaustion (CPU, Storage, Network) caused by logging was ever a primary caus= e of a test failing.=20 Kind regards Greg From: allicient3141@gmail.com [allicient3141@gmail.com] On Behalf Of Peter = Maxwell [peter@allicient.co.uk] Sent: 29 July 2010 03:52 To: Greg Hennessy Cc: Spenst, Aleksej; freebsd-pf@freebsd.org Subject: Re: For better security: always "block all" or "block in all" is e= nough? On 28 July 2010 20:39, Greg Hennessy <Greg.Hennessy@nviz.net> wrote: > What disadvantages does it have in term of security in comparison with > "block all"? In other words, how bad it is to have all outgoing ports alw= ays > opened and whether someone can use this to hack the sysem? > It's the principle of 'least privilege'. Explicitly allow what is permitte= d, deny everything else. It should also be block log all A default block policy without logging has a certain ass biting inevitabili= ty to it. However not as much "ass biting" potential as with logging on. Ask anyone = who has done commercial firewall work and they'll tell you not to enable lo= gging on the default deny/drop rule unless you are debugging/testing - thin= k denial of service.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9E8D76EC267C9444AC737F649CBBAD902767E3BF75>