[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking kazaa



Hello,

On Tue, Nov 19, 2002 at 01:05:35PM -0600, Jamin W. Collins wrote:
> On Tue, Nov 19, 2002 at 07:11:32PM +0100, ezra daniel wrote:
> 
> > In every firewall manual its explained that a good firewall should
> > allow only certain traffic and always block/drop the rest...
> 
> In some cases this should be taken in moderation.  The admin needs to
> balance convenience and security.  In most cases the more secure that
> something becomes, the less convenient it becomes.

Right.

> Additionally, how would you deal with blocking client side applications
> that masquerade as other types of traffic?  Such as clients that connect
> to remote hosts on ports like 80, 22, 53, etc that your site allows out
> as legitimate traffic.  

I suggest you read "Building Internet Firewalls" - it comes with
some quite good answers to your questions. 

Port 80: http, easy thing. Allow web access only through an
application level proxy server like squid.
Port 53: dns, same game. Why do local machines need to query
external name servers? Provide an internal name server that forwards
all requests
Port 22: ssh, not that easy, but doable. Provide a bastion host
where anyone with the need to ssh to external machines gets an
account. Allow connections to the ssh port only to one special
group (no problem with netfilter) and make the ssh binary
set-group-id to that group.

Basic action, either make the sending host trusted such that no
forbidden client accesses special ports, or make the taffic trusted
by forcing it through a proxy server that understands the used
protocol (socks is not an option, and forcing does not necessarily
mean transparent proxying).

> > He seems not to be doing so.
> 
> Most firewall scripts that I've seen set a default DROP policy for all
> inbound external traffic and a default allow for all outbound internal
> traffic.  For most sites, this is an acceptable compromise.

That depends on how important it is to prevent e.g. worms from
connecting external machines. 

Ciao, Arne.
-- 
 ,``o. OpenBSD        -        Debian GNU/Linux        -        Solaris  >o)
>( ,c@ GPG 1024D/913C2F81 2000-10-11  Arne P. Boettger <apb@createx.de>  /\\
 ',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V

Attachment: pgpnWUPaoesrl.pgp
Description: PGP signature


Reply to: