Thomas Delrue on 2 Aug 2017 10:19:42 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]


On August 2, 2017 1:05:33 PM EDT, Rich Freeman <r-plug@thefreemanclan.net> wrote:
>On Wed, Aug 2, 2017 at 11:16 AM, Rich Kulawiec <rsk@gsp.org> wrote:
>>
>> Which brings me to my point: why would you allow this when you can
>stop it?
>>
>
>What is the best way to go about this?  I assume you're talking about
>blocking outgoing traffic by default, since everybody already blocks
>incoming traffic by default.  It seems like you could spend a LOT of
>time playing whack-a-mole with firewall rules punching holes for
>legitimate traffic that way.

Rich,  you say that as if that's a bad thing. Because once you've set it up,  you're in a better place than the alternative. Namely,  you pay up front and reap benefits at the back, instead of the usual cheap up front and an eternal expensive tail at the back.   I don't think you quite got the point rsk was making... ;) I think his point is that you disallow everything by default and then only open up what your really need. When you've got that going, your maintenance and potential attack surface drops significantly.
I refer back to the included graph. 

It also makes you think twice about whether or not you /really/ need to be able to access X or Y before allowing it, which I think is a good thing. 
I think rsk's approach is a good one... and one I'm baffled to not see as the default practice. 
--
Thomas
(Sent from my mobile device,  please forgive brevity or typos.)
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug