Firewall rules

Alan Munday dccmail@brightheadtechnology.com
Thu Sep 16 08:10:07 UTC 2004


> -----Original Message-----
> From: dcc-admin@rhyolite.com [mailto:dcc-admin@rhyolite.com] 
> On Behalf Of Bob George
> Sent: Thursday, September 16, 2004 12:59 AM
> To: dcc@rhyolite.com
> Subject: Re: Firewall rules
> 
> 
> Vernon Schryver wrote:
> 
> > [...] What wording do you suggest?
> 
> I do a fair amount of security work, and count on routinely finding 
> routers configured similarly to illustrate weaknesses. Might 
> I suggest 
> that you not bother saying HOW to secure the user's firewall, 
> but rather 
> focus on accurately describing WHAT needs to be allowed 
> through: "Allow 
> udp FROM port <whatever) on the client to port <whatever> on the 
> server." Leave it up to the user to figure out how to do it 
> with their 
> specific firewall, or ask help from someone who understands it. That 
> probably frees you from the entire liability concern in the 1st place.

I agree with this approach as I see people referring to their firewalls
which upon examination turn out to be anything from routers with a few
firewall capabilities (control over one direction of traffic), to routers
with simple firewall implementations (bi-directional control, but limited
function) to dedicated firewall products (which also vary greatly in
function). Another consideration being that across these product ranges the
implementation logic can be quite different, which makes the task of
describing how to implement more difficult. Lastly different organisations
do have different approaches as to how they wish there firewalls to be
set-up which you would not be able to second guess.

Alan




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.