For better security: always "block all" or "block in all" is
enough?
Peter Maxwell
peter at allicient.co.uk
Thu Jul 29 15:02:28 UTC 2010
Ah, sarcasm - that implies you must be right.
If, as you say, there are "Governance, Risk, and Compliance reasons",
perhaps you'd like to specify one or two for each category?
Logging a default deny on an internal firewall, yes - ok - I agree with you,
that's probably reasonable. However, logging every blocked packet on an
internet facing firewall is plain daft. Even the storage requirements would
be somewhat onerous, and that's before trying to process the data into
something meaningful. And all to confirm that there's a lot of noise and
port scanning going on.
In practical terms, it may not make much of a difference with pf on FreeBSD
- personally, I haven't tested it. I have however seen commercial firewalls
fall-over from less. What sort of bandwidth and new connections per second
rates and hardware were you using, out of interest?
On 29 July 2010 12:17, Greg Hennessy <Greg.Hennessy at nviz.net> wrote:
> "Ask anyone who has done commercial firewall work...."
>
> <Rollseyes>
> Yes Peter, of course Peter
> </Rollseyes>
>
> Meanwhile in the real world....
> There are Governance, Risk, and Compliance reasons for logging all attempts
> to bypass security policy by hitting the default deny rule.
> These reasons are both de-facto and de-jure obligatory.
>
>
>
> The Operational and Reputational risks of driving security control points
> blind, far outweigh the tiny residual risk of a putative DoS attack against
> a firewall policy with default block logging enabled.
>
>
> Having made PF on FreeBSD bleed in the past through various nefarious
> testing methods, I can't say that taking the firewall offline through
> resource exhaustion (CPU, Storage, Network) caused by logging was ever a
> primary cause of a test failing.
>
>
>
>
> Kind regards
>
> Greg
>
>
>
> From: allicient3141 at gmail.com [allicient3141 at gmail.com] On Behalf Of Peter
> Maxwell [peter at allicient.co.uk]
> Sent: 29 July 2010 03:52
> To: Greg Hennessy
> Cc: Spenst, Aleksej; freebsd-pf at freebsd.org
> Subject: Re: For better security: always "block all" or "block in all" is
> enough?
>
>
>
>
>
> On 28 July 2010 20:39, Greg Hennessy <Greg.Hennessy at nviz.net> wrote:
>
>
> > What disadvantages does it have in term of security in comparison with
> > "block all"? In other words, how bad it is to have all outgoing ports
> always
> > opened and whether someone can use this to hack the sysem?
> >
>
>
> It's the principle of 'least privilege'. Explicitly allow what is
> permitted, deny everything else.
>
> It should also be
>
> block log all
>
> A default block policy without logging has a certain ass biting
> inevitability to it.
>
>
>
>
> However not as much "ass biting" potential as with logging on. Ask anyone
> who has done commercial firewall work and they'll tell you not to enable
> logging on the default deny/drop rule unless you are debugging/testing -
> think denial of service.
>
More information about the freebsd-pf
mailing list