|
You should block all services that do not have an explicit business need.
In the olden days (say, five years ago), we had the luxury of being able to
just block certain services that had security holes. Nowadays, any
service you let through your firewall exposes you to risks associated with that particular service, as well as opening up a tunnel an
attacker can use to communicate with a backdoor. So, in the past, you may
have just closed eight services or so. Now, you must close them all at a
firewall and just turn on those services you really need. So, if you
have a Web server, allow only Web requests and responses. If you have a
DNS server, allow DNS requests and responses and so on.
Please keep in mind that you must implement this in both directions:
outgoing and incoming. Some folks think that if they just filter incoming
connections, they are safe. However, outgoing connections are
increasingly used by the bad guys to communicate with backdoors. I can
hack your boxes through a limited incoming connection (say I just use a
buffer overflow carried via HTTP or DNS traffic). I use this overflow to
configure your boxes to push me out a shell using a tool like Netcat, reverse WWW shell or even just plain
old X window terminals. Then, I have incoming shell access via outgoing
traffic. Bummer. That's why you have to block all traffic, coming in or
going out, for all services except what you absolutely need.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Firewalls
Ask the Expert: Determining which TCP/IP services are needed
|
