Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Jul 2010 16:02:26 +0100
From:      Peter Maxwell <peter@allicient.co.uk>
To:        Greg Hennessy <Greg.Hennessy@nviz.net>
Cc:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: For better security: always "block all" or "block in all" is  enough?
Message-ID:  <AANLkTim%2Ba0aHy2eDKeiU0cGr1gzOvbwyWLTXo_N34Q3d@mail.gmail.com>
In-Reply-To: <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local>
References:  <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com> <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local>

next in thread | previous in thread | raw e-mail | index | archive | help
Ah, sarcasm - that implies you must be right.

If, as you say, there are "Governance, Risk, and Compliance reasons",
perhaps you'd like to specify one or two for each category?

Logging a default deny on an internal firewall, yes - ok - I agree with you,
that's probably reasonable.  However, logging every blocked packet on an
internet facing firewall is plain daft.  Even the storage requirements would
be somewhat onerous, and that's before trying to process the data into
something meaningful.  And all to confirm that there's a lot of noise and
port scanning going on.

In practical terms, it may not make much of a difference with pf on FreeBSD
- personally, I haven't tested it.  I have however seen commercial firewalls
fall-over from less.  What sort of bandwidth and new connections per second
rates and hardware were you using, out of interest?




On 29 July 2010 12:17, Greg Hennessy <Greg.Hennessy@nviz.net> wrote:

> "Ask anyone who has done commercial firewall work...."
>
> <Rollseyes>
>    Yes Peter, of course Peter
> </Rollseyes>
>
> Meanwhile in the real world....
> There are Governance, Risk, and Compliance reasons for logging all attempts
> to bypass security policy by hitting the default deny rule.
> These reasons are both de-facto and de-jure obligatory.
>
>
>
> The Operational and Reputational risks of driving security control points
> blind, far outweigh the tiny residual risk of a putative DoS attack against
> a firewall policy with default block logging enabled.
>
>
> Having made PF on FreeBSD bleed in the past through various nefarious
> testing methods, I can't say that taking the firewall offline through
> resource exhaustion (CPU, Storage, Network) caused by logging was ever a
> primary cause of a test failing.
>
>
>
>
> Kind regards
>
> Greg
>
>
>
> From: allicient3141@gmail.com [allicient3141@gmail.com] On Behalf Of Peter
> Maxwell [peter@allicient.co.uk]
> Sent: 29 July 2010 03:52
> To: Greg Hennessy
> Cc: Spenst, Aleksej; freebsd-pf@freebsd.org
> Subject: Re: For better security: always "block all" or "block in all" is
> enough?
>
>
>
>
>
> On 28 July 2010 20:39, Greg Hennessy <Greg.Hennessy@nviz.net> wrote:
>
>
> > What disadvantages does it have in term of security in comparison with
> > "block all"? In other words, how bad it is to have all outgoing ports
> always
> > opened and whether someone can use this to hack the sysem?
> >
>
>
> It's the principle of 'least privilege'.  Explicitly allow what is
> permitted, deny everything else.
>
> It should also be
>
>       block log all
>
> A default block policy without logging has a certain ass biting
> inevitability to it.
>
>
>
>
> However not as much "ass biting" potential as with logging on.  Ask anyone
> who has done commercial firewall work and they'll tell you not to enable
> logging on the default deny/drop rule unless you are debugging/testing -
> think denial of service.
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTim%2Ba0aHy2eDKeiU0cGr1gzOvbwyWLTXo_N34Q3d>