Date: Thu, 29 Jul 2010 12:17:49 +0100 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: Peter Maxwell <peter@allicient.co.uk> Cc: "Spenst, Aleksej" <Aleksej.Spenst@harman.com>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: For better security: always "block all" or "block in all" is enough? Message-ID: <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local>, <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Ask anyone who has done commercial firewall work...."
<Rollseyes>
Yes Peter, of course Peter
</Rollseyes>
=20
Meanwhile in the real world....
There are Governance, Risk, and Compliance reasons for logging all attempts=
to bypass security policy by hitting the default deny rule. =20
These reasons are both de-facto and de-jure obligatory.=20
The Operational and Reputational risks of driving security control points b=
lind, far outweigh the tiny residual risk of a putative DoS attack against =
a firewall policy with default block logging enabled.=20
Having made PF on FreeBSD bleed in the past through various nefarious testi=
ng methods, I can't say that taking the firewall offline through resource e=
xhaustion (CPU, Storage, Network) caused by logging was ever a primary caus=
e of a test failing.=20
Kind regards
Greg
From: allicient3141@gmail.com [allicient3141@gmail.com] On Behalf Of Peter =
Maxwell [peter@allicient.co.uk]
Sent: 29 July 2010 03:52
To: Greg Hennessy
Cc: Spenst, Aleksej; freebsd-pf@freebsd.org
Subject: Re: For better security: always "block all" or "block in all" is e=
nough?
On 28 July 2010 20:39, Greg Hennessy <Greg.Hennessy@nviz.net> wrote:
> What disadvantages does it have in term of security in comparison with
> "block all"? In other words, how bad it is to have all outgoing ports alw=
ays
> opened and whether someone can use this to hack the sysem?
>
It's the principle of 'least privilege'. Explicitly allow what is permitte=
d, deny everything else.
It should also be
block log all
A default block policy without logging has a certain ass biting inevitabili=
ty to it.
However not as much "ass biting" potential as with logging on. Ask anyone =
who has done commercial firewall work and they'll tell you not to enable lo=
gging on the default deny/drop rule unless you are debugging/testing - thin=
k denial of service.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9E8D76EC267C9444AC737F649CBBAD902767E3BF75>