Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request fo

Rich Kulawiec on 4 Aug 2017 06:34:53 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]

From: Rich Kulawiec <rsk@gsp.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Date: Fri, 4 Aug 2017 09:34:37 -0400
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mutt/1.5.23 (2014-03-12)

On Wed, Aug 02, 2017 at 01:05:33PM -0400, Rich Freeman wrote:
> What is the best way to go about this?  I assume you're talking about
> blocking outgoing traffic by default, since everybody already blocks
> incoming traffic by default.  It seems like you could spend a LOT of
> time playing whack-a-mole with firewall rules punching holes for
> legitimate traffic that way.

Not just blocking outgoing traffic by default -- which everyone should
have been doing for the last 15 years -- but only enabling traffic in
either direction based on port, protocol, origination host, origination
network, origination country, destination host, destination network,
destination country, volume, frequency, etc.: any and all criteria.

Yeah, that's a lot to ask, but every one of those things cuts down
on the attack surface -- which means when an exploit emerges it will
be much harder for someone to use it.  And since we know, a priori,
that exploits *are* coming, it's better to pre-emptively block them
rather than frantically try to patch when they arrive.

I suppose there are two things that become clear from that: the first is
that one size does not fit all.  The way you approach this for a server
farm is different from the way you approach it on a desktop.  The second
is that it requires that you know EXACTLY what network traffic you need,
why you need it, when you need it, where it's going, how much of it
there should be, etc.

Some folks say that the latter is hard or even impossible.  And that's
when I quote Ranum -- from that same rant:

	"How can you call yourself a 'Chief Technology Officer' if you
	have no idea what your technology is doing?"

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Rich Kulawiec <rsk@gsp.org>
- [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
  - From: Rich Kulawiec <rsk@gsp.org>
- Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Next by Date: Re: [PLUG] A TAD OFF TOPIC - HAM VOLUNTEERS NEEDED.
Previous by thread: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Next by thread: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Index(es):
- Date
- Thread