For better security: always "block all" or "block in all" is enough?

Peter Maxwell peter at allicient.co.uk
Thu Jul 29 21:09:48 UTC 2010 

On 29 July 2010 20:08, Greg Hennessy <Greg.Hennessy at nviz.net> wrote:

>
>
> > If, as you say, there are "Governance, Risk, and Compliance reasons",
> > perhaps you'd like to specify one or two for each category?
>
> Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement
> 10, Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the
> picture.
>


An ISMS, is a company defined document so will likely have different entries
or even none at all for that matter depending on the company.  In a previous
company I worked for, you would have just supported my point.

And nice try, what documents & sections in PCI DSS, Basel II, and SOX are
you referring to?



> > Logging a default deny on an internal firewall, yes - ok - I agree with
> you, that's probably reasonable.
>
> Only probably? How much 'commercial' firewall work have you done again,
> seriously ?
>

Again?  I didn't tell you to begin with.  As it happens, more than ten
years, a significant proportion of which was in a major ISP.  Since we're
playing who's willy is bigger, what about yourself?



>
> >  However, logging every blocked packet on an internet facing firewall is
> plain daft.
>
> Saying it doesn’t make it so.
>

The converse applies to your position.



>
> > Even the storage requirements would be somewhat onerous,
>
> Storage is cheap. Damage to reputation caused by being in breach of
> regulatory requirements w.r.t log retention is not.
>

Not that cheap.  And at the current point in time, in the UK at least, I
know of no statutory requirement to keep such logs.

I'd asked before what sort of bandwidth & connections per second the
firewalls you/you've worked on tend to handle?




>
> > and that's before trying to process the data into something meaningful.
> > And all to confirm that there's a lot of noise and port scanning going
> on.
>
> Or it's part of a much larger picture which is fed into an SIEM system for
> event correlation and consequent alerting.
>

So, you're also exposing a node in you SEM to a shed load of unnecessary
noise.



>
> Firewalls are not the only security control points
>

Nope, they're not.  They're also are a fairly blunt instrument but must be
extremely reliable.

More information about the freebsd-pf mailing list