Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]

[Rich Kulawiec <rsk@gsp.org>]

On Wed, Aug 02, 2017 at 02:39:52PM -0400, Rich Freeman wrote:
> Do you simply not have any desktop web traffic on your network?
> Whitelisting every domain you visit in a browser sounds like anything
> but "hardly any maintenance."

But that's not how it's done -- for exactly that reason.

Let's say you have a subnet of desktops somewhere inside your operation.
Clearly, they're going to need a different set of rules than the servers
you have elsewhere.  They may also need a different set of DNS servers
for reasons I'll get into momentarily.

One approach to that is to open up outbound HTTP from that subnet BUT
to block by destination network (e.g., the DROP list) and destination
country (e.g., is there a business need to reach web sites in Peru?)
and destination port (trickier, but manageable most of the times that
I've deployed it) and source port (e.g., outbound HTTP requests should
not be originating from port 25) and by source host operating system
(using passive OS fingerprinting) and to limit bandwidth: what's the
aggregate maximum *outbound* HTTP traffic observed?

And so on: the approach is to think about every characteristic of the
traffic and then think about what you really need.  E.g., chances are high
that if in fact there's outbound HTTP traffic originating on port 25
from your desktop subnet that something very bad is happening and that
you're well-served by not letting it out.

The reason for different DNS servers is that it's often desirable to
use RPZ to block DNS servers that are in known-hostile space.  In other
words, using the DROP list as an example, not only do you not wish to
allow outbound HTTP connections which terminate in DROP-listed IP space,
you do not wish to allow name resolution via DNS servers which reside
in DROP-listed IP space. 

It's also often desirable to use RPZ to block the resolution of names
in TLDs that are overrun with attackers/abusers.  For example: .xyz.
I'm aware of about 2.3M .xyz domains but of only one that's worth
resolving. Oh, I'm sure there are more. I'm also sure that in most
environments those few can be manually enumerated...  which is more than
worth it given the ratio of bad/good.  There are hundreds of other new
gTLDS that are equally overrun with abusers: I know, this is part of
a research project of mine that's been running for 15 years.  So while
this isn't strictly a firewall measure per se, it complements what's
done there.

There are all kinds of approaches to implementing this, and these (above)
are just some examples of those: but they're all consistent with the
philosophy of allowing your systems the least access that they need to
perform their funtions.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug